incident
Threat Actors Use Mounted Guest Technique to Bypass EDR on Hyper-V Virtual MachinesMounted Guest EDR Bypass
Stroz Friedberg observed a previously undocumented EDR bypass technique used in the wild. Attackers with administrative access to a Hyper-V host mounted a virtual machine's disk file, deleted EDR program files from the offline volume, then rebooted the VM without EDR protection to deploy ransomware. This method exploits the host-guest relationship in hypervisors and is not specific to any EDR product or hypervisor platform.