Bypass Record
DLL Side-Loading × Microsoft Windows Defender
A publicly-reported instance of DLL Side-Loading bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.
Mechanism
Creates bind links for all subfolders in the EDR's parent directory (e.g., Program Files) to a controlled temp directory, except the EDR's own folder. Then creates a bind link from the parent directory to the temp directory, causing the EDR to see the temp directory as its parent. This enables DLL hijacking by dropping malicious files into the temp directory that the EDR may load.
Detection & mitigation
Monitor for creation of bind links (e.g., via CreateMountPoint) targeting directories under Program Files or other EDR installation paths, especially when the target is a temporary or user-writable location. Enforce Windows Defender Application Control or similar to restrict DLL loading from untrusted directories, and ensure EDR self-protection mechanisms are enabled to prevent tampering with its own files and directories.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.