Bypass Record

EDR Unhooking × Bitdefender Endpoint Security (atcuf64.dll)

A publicly-reported instance of EDR Unhooking bypassing Bitdefender Endpoint Security (atcuf64.dll), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Bitdefender Endpoint Security (atcuf64.dll)

Technique

EDR Unhooking

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-11-26

Config / version noted

Not stated

Provenance

scavengersecurity.com
disclosed 2024-11-26 · original source · via exa
github.com
disclosed 2024-11-26 · original source · via exa

Reported as

SEGRUN uses exception handlers to bypass userland EDR hooks by corrupting the EDR DLL's memory permissions... This effectively unhooks userland API hooks without executing EDR code.

Mechanism

The technique sets a custom exception handler that, upon access violation from a corrupted (non-executable) EDR DLL, performs a ROP to a 'ret' gadget, incrementing RIP by one to skip the faulting instruction. The EDR DLL is corrupted by changing its memory protection to non-executable via VirtualProtect, causing exceptions whenever trampolines redirect execution to the EDR's monitoring code. This effectively unhooks userland API hooks without executing EDR code.

Detection & mitigation

Monitor for VirtualProtect calls targeting EDR DLL memory regions to change protections to non-executable, and for the registration of vectored exception handlers via AddVectoredExceptionHandler. Mitigation includes enabling hardware-enforced stack protection and using kernel callbacks to validate userland hook integrity.

EDR Unhooking has also been recorded against

all major EDR solutions CrowdStrike Elastic major EDR vendor (unnamed)Microsoft Palo Alto Networks SentinelOne Sophos

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.