Bypass Record

EDR Unhooking × Microsoft Windows Defender

A publicly-reported instance of EDR Unhooking bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

EDR Unhooking

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-12-05

Config / version noted

Not stated

Provenance

medium.com
disclosed 2025-12-05 · original source · via brave

Reported as

uses process injection and API unhooking to evade Windows Defender's real-time protection

Mechanism

The loader performs environment analysis to detect security products, then uses process injection and API unhooking to evade Windows Defender's real-time protection, allowing C2 communication.

Detection & mitigation

Monitor for suspicious process injection events (e.g., CreateRemoteThread, NtMapViewOfSection) targeting security product processes, and use kernel callbacks or ETW providers to detect unhooking of user-mode API hooks. Deploy tamper protection and enable attack surface reduction rules to prevent loading of untrusted DLLs into protected processes.

EDR Unhooking has also been recorded against

all major EDR solutions Bitdefender CrowdStrike Elastic major EDR vendor (unnamed)Palo Alto Networks SentinelOne Sophos

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.