EDR Unhooking × all major EDR solutions

A publicly-reported instance of EDR Unhooking bypassing all major EDR solutions, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

all major EDR solutions

Technique

EDR Unhooking

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

Critical

Status

poc

Disclosed

2025-04-03

Config / version noted

Not stated

Provenance

medium.com
disclosed 2025-04-03 · original source · via exa

Reported as

neutralizing all major EDR solutions

Mechanism

During process initialization, before EDR DLLs are loaded, the attacker overwrites the AvrfpAPILookupCallbackRoutine function pointer in ntdll.dll's .mrdata section with a custom callback. This callback executes early, allowing the attacker to hook LdrLoadDll and other functions, patch memory to block EDR DLL loading, and run arbitrary code before any EDR monitoring begins.

Detection & mitigation

Monitor for early process creation events (Sysmon Event ID 1) with suspicious parent processes or command-line arguments that indicate .NET execution, and enable Windows Defender Application Control (WDAC) to restrict untrusted code from modifying ntdll.dll in memory. Additionally, use kernel-level callbacks or hypervisor-based integrity checks to detect unauthorized modifications to the .mrdata section of ntdll.dll during process initialization.

EDR Unhooking has also been recorded against

Bitdefender CrowdStrike Elastic major EDR vendor (unnamed)Microsoft Palo Alto Networks SentinelOne Sophos

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.