Technique Record · T1562.001

EDR Unhooking

Name: EDR Unhooking — EDR bypass record
Creator: ColdRecon

Publicly-reported instances of EDR Unhooking bypassing endpoint security products. Maintained on the same basis for every technique in the Index.

recorded bypasses

products affected

Products recorded as bypassed by EDR Unhooking

Product	Entries	High-confidence	Most recent
CrowdStrike	4	2	2025-12-07
Microsoft	4	3	2025-12-05
Palo Alto Networks	2	0	2025-10-18
SentinelOne	2	1	2025-12-07
Sophos	2	1	2025-05-24
Bitdefender	2	2	2025-12-07
major EDR vendor (unnamed)	1	0	2024-06-11
Elastic	1	1	2025-11-06
all major EDR solutions	1	0	2025-04-03

Product	Confidence	Disclosed	Source
CrowdStrike	high	2025-12-07	github.com	record →
Bitdefender	high	2025-12-07	github.com	record →
SentinelOne	high	2025-12-07	github.com	record →
Microsoft	high	2025-12-05	medium.com	record →
Elastic	high	2025-11-06	radar.offseq.com	record →
Palo Alto Networks	medium	2025-10-18	www.brinztech.com	record →
CrowdStrike	medium	2025-10-18	www.brinztech.com	record →
CrowdStrike	medium	2025-07-13	github.com	record →
Microsoft	medium	2025-07-13	github.com	record →
SentinelOne	medium	2025-07-13	github.com	record →
Sophos	medium	2025-05-24	github.com	record →
Palo Alto Networks	medium	2025-05-24	github.com	record →
all major EDR solutions	medium	2025-04-03	medium.com	record →
Bitdefender	high	2024-11-26	scavengersecurity.com	record →
major EDR vendor (unnamed)	medium	2024-06-11	medium.com	record →
Sophos	high	2023-12-27	app.daily.dev	record →
CrowdStrike	high	2023-07-06	inbits-sec.com	record →
Microsoft	high	2023-06-07	www.linkedin.com	record →
Microsoft	high	2023-06-01	github.com	record →

Counts reflect distinct publicly-reported events on record; absence of an entry means no confirmed public report is on file.