Bypass Record

EDR Unhooking × Microsoft Defender

A publicly-reported instance of EDR Unhooking bypassing Microsoft Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender

Technique

EDR Unhooking

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

High

Status

poc

Disclosed

2025-07-13

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-07-13 · original source · via raw

Reported as

explicitly stated to bypass Defender

Mechanism

PhantomLoad executes shellcode entirely in memory without touching disk. It evades detection by unhooking NTDLL to bypass userland hooks, patching ETW to suppress telemetry, disabling AMSI to avoid script scanning, and spoofing parent process ID to blend in. It uses direct syscalls, AES-256 encryption with staged decryption, and anti-analysis tricks like Heaven's Gate for WoW64 transitions and sleep masking.

Detection & mitigation

Monitor for process hollowing, direct syscalls, and unhooking behavior (e.g., NTDLL modifications). Deploy kernel-level callbacks and ETW provider integrity checks. Use memory scanning for RWX regions and suspicious thread creation. Enforce application control and restrict execution of unsigned binaries.

EDR Unhooking has also been recorded against

all major EDR solutions Bitdefender CrowdStrike Elastic major EDR vendor (unnamed)Palo Alto Networks SentinelOne Sophos

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.