Publicly-reported techniques recorded as bypassing Microsoft. Each entry is sourced to its original disclosure. This is a factual tally, maintained on the same basis for every vendor in the Index.
| Technique | Entries | High-confidence | Most recent |
|---|---|---|---|
| AMSI Bypass | 34 | 29 | 2026-05-21 |
| BYOVD (Vulnerable Driver) | 24 | 23 | 2026-05-03 |
| Disable or Modify Tools | 17 | 16 | 2026-05-21 |
| Exploitation for Priv-Esc | 9 | 8 | 2026-05-22 |
| Tamper-Protection Bypass | 8 | 7 | 2026-04-17 |
| Obfuscation / Packing | 7 | 6 | 2026-04-20 |
| Process Injection | 6 | 4 | 2025-08-14 |
| Code-Signing Abuse | 5 | 5 | 2026-05-23 |
| Valid Accounts | 4 | 4 | 2026-05-13 |
| Pre-OS Boot | 4 | 4 | 2025-08-24 |
| DLL Side-Loading | 4 | 4 | 2026-05-11 |
| EDR Unhooking | 4 | 3 | 2025-12-05 |
| LSASS Credential Dumping | 3 | 3 | 2026-05-13 |
| Masquerading | 3 | 3 | 2025-12-28 |
| Indicator Removal | 2 | 2 | 2024-04-22 |
| Rootkit | 2 | 2 | 2026-04-14 |
| Reflective Code Loading | 2 | 1 | 2026-03-29 |
| Direct Syscalls | 2 | 1 | 2026-05-04 |
| ETW Tampering | 1 | 0 | 2026-05-19 |
| Safe-Mode Boot | 1 | 1 | 2024-09-25 |
| Technique | Confidence | Disclosed | Source | |
|---|---|---|---|---|
| Code-Signing Abuse | high | 2026-05-23 | www.positioniseverything.net | record → |
| Exploitation for Priv-Esc | medium | 2026-05-22 | Microsoft Threat Intel | record → |
| Disable or Modify Tools | high | 2026-05-21 | Huntress | record → |
| AMSI Bypass | high | 2026-05-21 | www.tiraniddo.dev | record → |
| Code-Signing Abuse | high | 2026-05-20 | cybersecuritynews.com | record → |
| ETW Tampering | medium | 2026-05-19 | medium.com | record → |
| Exploitation for Priv-Esc | high | 2026-05-18 | thehackernews.com | record → |
| Exploitation for Priv-Esc | high | 2026-05-18 | www.csoonline.com | record → |
| AMSI Bypass | high | 2026-05-16 | infosecwriteups.com | record → |
| LSASS Credential Dumping | high | 2026-05-13 | theregister.com | record → |
| Valid Accounts | high | 2026-05-13 | lyrie.ai | record → |
| DLL Side-Loading | high | 2026-05-11 | The DFIR Report | record → |
| Direct Syscalls | high | 2026-05-04 | hackers-arise.com | record → |
| BYOVD (Vulnerable Driver) | high | 2026-05-03 | lyrie.ai | record → |
| LSASS Credential Dumping | high | 2026-04-27 | www.persistent-security.net | record → |
| Obfuscation / Packing | medium | 2026-04-20 | github.com | record → |
| AMSI Bypass | high | 2026-04-18 | medium.com | record → |
| Tamper-Protection Bypass | high | 2026-04-17 | gbhackers.com | record → |
| Exploitation for Priv-Esc | high | 2026-04-17 | www.cyderes.com | record → |
| Rootkit | high | 2026-04-14 | www.gendigital.com | record → |
| Exploitation for Priv-Esc | high | 2026-04-07 | www.cyderes.com | record → |
| Reflective Code Loading | high | 2026-03-29 | medium.com | record → |
| BYOVD (Vulnerable Driver) | high | 2026-03-26 | labs.cloudsecurityalliance.org | record → |
| BYOVD (Vulnerable Driver) | high | 2026-03-26 | github.com | record → |
| BYOVD (Vulnerable Driver) | high | 2026-03-13 | www.healthcaredive.com | record → |
| DLL Side-Loading | high | 2026-03-08 | cybernoz.com | record → |
| AMSI Bypass | high | 2026-03-05 | github.com | record → |
| Disable or Modify Tools | high | 2026-02-27 | binarydefense.com | record → |
| BYOVD (Vulnerable Driver) | high | 2026-02-24 | blog.silentforce.io | record → |
| Tamper-Protection Bypass | high | 2026-02-19 | medium.com | record → |
| BYOVD (Vulnerable Driver) | high | 2026-02-10 | github.com | record → |
| Obfuscation / Packing | high | 2026-01-28 | bloo.io | record → |
| AMSI Bypass | high | 2026-01-13 | medium.com | record → |
| Disable or Modify Tools | high | 2026-01-11 | cybernoz.com | record → |
| AMSI Bypass | high | 2026-01-10 | gist.github.com | record → |
| Masquerading | high | 2025-12-28 | medium.com | record → |
| AMSI Bypass | high | 2025-12-28 | medium.com | record → |
| EDR Unhooking | high | 2025-12-05 | medium.com | record → |
| Obfuscation / Packing | high | 2025-12-02 | github.com | record → |
| Disable or Modify Tools | high | 2025-11-17 | cyberpress.org | record → |
| AMSI Bypass | medium | 2025-11-14 | medium.com | record → |
| BYOVD (Vulnerable Driver) | high | 2025-11-14 | gbhackers.com | record → |
| Tamper-Protection Bypass | high | 2025-11-13 | err0rgod.medium.com | record → |
| BYOVD (Vulnerable Driver) | high | 2025-11-10 | github.com | record → |
| BYOVD (Vulnerable Driver) | high | 2025-11-07 | github.com | record → |
| DLL Side-Loading | high | 2025-11-01 | cybernoz.com | record → |
| AMSI Bypass | high | 2025-10-17 | blog.ukatemi.com | record → |
| Disable or Modify Tools | high | 2025-10-15 | windowsforum.com | record → |
| Tamper-Protection Bypass | high | 2025-10-10 | labs.infoguard.ch | record → |
| Obfuscation / Packing | high | 2025-10-01 | www.noahheraud.com | record → |
| Disable or Modify Tools | high | 2025-09-29 | prevent-ransomware.com | record → |
| Reflective Code Loading | medium | 2025-09-23 | g3tsyst3m.com | record → |
| BYOVD (Vulnerable Driver) | high | 2025-08-28 | radar.offseq.com | record → |
| Disable or Modify Tools | high | 2025-08-28 | beierle.win | record → |
| Pre-OS Boot | high | 2025-08-24 | github.com | record → |
| Process Injection | high | 2025-08-14 | github.com | record → |
| BYOVD (Vulnerable Driver) | medium | 2025-08-07 | mine2.io | record → |
| AMSI Bypass | high | 2025-07-28 | www.netskope.com | record → |
| AMSI Bypass | high | 2025-07-23 | github.com | record → |
| Masquerading | high | 2025-07-14 | www.kaspersky.com | record → |
| EDR Unhooking | medium | 2025-07-13 | github.com | record → |
| Process Injection | high | 2025-06-25 | undercodetesting.com | record → |
| AMSI Bypass | high | 2025-06-24 | github.com | record → |
| Code-Signing Abuse | high | 2025-06-19 | undercodetesting.com | record → |
| Disable or Modify Tools | high | 2025-06-15 | github.com | record → |
| LSASS Credential Dumping | high | 2025-06-13 | undercodetesting.com | record → |
| Tamper-Protection Bypass | medium | 2025-06-12 | github.com | record → |
| Disable or Modify Tools | high | 2025-06-10 | www.linkedin.com | record → |
| Exploitation for Priv-Esc | high | 2025-06-10 | cybersecuritynews.com | record → |
| AMSI Bypass | high | 2025-06-06 | medium.com | record → |
| AMSI Bypass | high | 2025-06-03 | medium.com | record → |
| BYOVD (Vulnerable Driver) | high | 2025-05-30 | threatlabsnews.xcitium.com | record → |
| AMSI Bypass | medium | 2025-05-16 | shells.systems | record → |
| Exploitation for Priv-Esc | high | 2025-05-15 | cybersecuritynews.com | record → |
| AMSI Bypass | high | 2025-05-12 | github.com | record → |
| AMSI Bypass | high | 2025-04-24 | github.com | record → |
| AMSI Bypass | high | 2025-04-15 | github.com | record → |
| Disable or Modify Tools | high | 2025-04-08 | www.sentinelone.com | record → |
| BYOVD (Vulnerable Driver) | high | 2025-03-16 | asec.ahnlab.com | record → |
| AMSI Bypass | medium | 2025-03-11 | github.com | record → |
| AMSI Bypass | high | 2025-02-28 | lumu.io | record → |
| BYOVD (Vulnerable Driver) | high | 2025-01-18 | www.zerosalarium.com | record → |
| Disable or Modify Tools | high | 2024-12-01 | cloudbrothers.info | record → |
| AMSI Bypass | high | 2024-11-21 | practicalsecurityanalytics.com | record → |
| AMSI Bypass | high | 2024-10-20 | github.com | record → |
| Safe-Mode Boot | high | 2024-09-25 | github.com | record → |
| BYOVD (Vulnerable Driver) | high | 2024-09-18 | cybersecuritynews.com | record → |
| Exploitation for Priv-Esc | high | 2024-08-19 | securityaffairs.com | record → |
| BYOVD (Vulnerable Driver) | high | 2024-08-18 | github.com | record → |
| Disable or Modify Tools | high | 2024-08-11 | dazzyddos.github.io | record → |
| Code-Signing Abuse | high | 2024-08-06 | www.elastic.co | record → |
| AMSI Bypass | medium | 2024-08-02 | github.com | record → |
| Pre-OS Boot | high | 2024-07-17 | github.com | record → |
| BYOVD (Vulnerable Driver) | high | 2024-07-16 | trustedsec.com | record → |
| BYOVD (Vulnerable Driver) | high | 2024-06-27 | infosecwriteups.com | record → |
| Obfuscation / Packing | high | 2024-06-26 | kaganeglence.com | record → |
| AMSI Bypass | high | 2024-06-22 | www.elastic.co | record → |
| Tamper-Protection Bypass | high | 2024-06-05 | github.com | record → |
| Disable or Modify Tools | high | 2024-05-29 | cybernoz.com | record → |
| Obfuscation / Packing | high | 2024-05-29 | www.dotsec.com | record → |
| Valid Accounts | high | 2024-05-27 | rootsecdev.medium.com | record → |
| BYOVD (Vulnerable Driver) | high | 2024-05-27 | github.com | record → |
| Direct Syscalls | medium | 2024-05-08 | github.com | record → |
| AMSI Bypass | high | 2024-05-04 | github.com | record → |
| AMSI Bypass | high | 2024-05-03 | www.offsec.com | record → |
| Code-Signing Abuse | high | 2024-04-26 | vsociety.medium.com | record → |
| Disable or Modify Tools | high | 2024-04-24 | gbhackers.com | record → |
| Indicator Removal | high | 2024-04-22 | winbuzzer.com | record → |
| Pre-OS Boot | high | 2024-04-09 | www.cve.news | record → |
| BYOVD (Vulnerable Driver) | high | 2024-04-05 | github.com | record → |
| BYOVD (Vulnerable Driver) | high | 2024-04-04 | github.com | record → |
| Disable or Modify Tools | high | 2024-03-21 | blog.talosintelligence.com | record → |
| DLL Side-Loading | high | 2024-03-13 | cybersecsentinel.com | record → |
| AMSI Bypass | medium | 2024-03-07 | github.com | record → |
| Obfuscation / Packing | high | 2024-02-27 | github.com | record → |
| Rootkit | high | 2024-02-25 | github.com | record → |
| Exploitation for Priv-Esc | high | 2024-02-07 | research.checkpoint.com | record → |
| Pre-OS Boot | high | 2024-02-01 | blog.compass-security.com | record → |
| AMSI Bypass | high | 2024-01-21 | medium.com | record → |
| Valid Accounts | high | 2024-01-20 | www.microsoft.com | record → |
| BYOVD (Vulnerable Driver) | high | 2024-01-12 | www.trendmicro.com | record → |
| Process Injection | high | 2023-12-08 | securityaffairs.com | record → |
| AMSI Bypass | high | 2023-11-30 | gist.github.com | record → |
| Process Injection | high | 2023-11-16 | chayanin-mews.medium.com | record → |
| Masquerading | high | 2023-11-11 | blogs.pivotsec.in | record → |
| Process Injection | medium | 2023-10-28 | github.com | record → |
| AMSI Bypass | high | 2023-10-24 | github.com | record → |
| Tamper-Protection Bypass | high | 2023-10-17 | www.csis.com | record → |
| AMSI Bypass | high | 2023-10-06 | github.com | record → |
| Disable or Modify Tools | high | 2023-09-13 | labs.infoguard.ch | record → |
| Tamper-Protection Bypass | high | 2023-09-12 | www.sentinelone.com | record → |
| AMSI Bypass | high | 2023-08-28 | github.com | record → |
| Process Injection | medium | 2023-08-21 | github.com | record → |
| BYOVD (Vulnerable Driver) | high | 2023-08-16 | jmp-esp.org | record → |
| Indicator Removal | high | 2023-08-11 | www.safebreach.com | record → |
| Valid Accounts | high | 2023-08-08 | securityboulevard.com | record → |
| AMSI Bypass | high | 2023-07-19 | github.com | record → |
| EDR Unhooking | high | 2023-06-07 | www.linkedin.com | record → |
| Disable or Modify Tools | medium | 2023-06-01 | www.threatlocker.com | record → |
| EDR Unhooking | high | 2023-06-01 | github.com | record → |
| AMSI Bypass | high | 2023-06-01 | github.com | record → |
| BYOVD (Vulnerable Driver) | high | 2023-05-31 | www.bleepingcomputer.com | record → |
Counts reflect distinct publicly-reported events on record; absence of an entry means no confirmed public report is on file, not that a product is unaffected.