research poc
Windows Defender Execution Folder Hijack via Symbolic LinkFolder Redirect Technique
A researcher demonstrated a technique to hijack Windows Defender's execution folder by creating a symbolic link with a higher version number in the Platform directory. After reboot, Defender runs from an attacker-controlled folder, enabling DLL sideloading or service disruption. This bypasses Defender's self-protection without requiring vulnerable drivers.