// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE INT-175DTG 0600Z
Endpoint Security Vendor

Microsoft

175 PUBLIC SECURITY EVENTS ON FILE · 2023-05-31 — 2026-05-25

Publicly-known security events concerning Microsoft — CVEs, advisories, and incidents drawn from open-source reporting. Every item links to its original source.

Category

What Microsoft sells

EDR is agent-based endpoint tooling that monitors process/file/network activity, detects malicious behavior, and enables response. It is detection-led by design: it observes and acts after code executes. Its efficacy depends on recognizing a threat, so novel/zero-day techniques are a window of exposure until detected.

SOURCE · ColdRecon Reference

Microsoft competes in the endpoint-security category. ColdRecon publishes only the factual public record below — no competitive analysis or positioning.

The Public Record

Recent security events

On file: 39 vuln disclosures · 28 incidents · 108 research pocs.

2026-05-25
vuln disclosure
Two Windows zero-days expose gaps in built-in security protections
Two newly disclosed Windows zero-day vulnerabilities are raising concerns about the effectiveness of built-in security controls. The article does not provide specific CVE identifiers or technical details. It highlights that reliance on default Windows protections may be insufficient.
2026-05-23
vuln disclosure
CVE-2013-3900: WinVerifyTrust Signature Validation WeaknessCVE-2013-3900
CVE-2013-3900 is a vulnerability in the Windows WinVerifyTrust function that validates Authenticode signatures on portable executable files. Attackers can append malicious data to a signed file without invalidating the signature, potentially allowing unsigned code to execute while appearing trusted. This undermines endpoint security mechanisms that rely on code-signing verification.
2026-05-23
vuln disclosure
Google Accidentally Publishes Exploit Code for Chromium Sandbox Escape Before PatchCVE-2025-2783
Google inadvertently published exploit code for a high-severity Chromium sandbox escape vulnerability (CVE-2025-2783) before a patch was available. The flaw allows attackers to bypass the browser's sandbox protections, potentially leading to arbitrary code execution. The premature disclosure increases the risk of in-the-wild exploitation before users can apply the fix.
2026-05-22
incident
Multi-stage Linux intrusion via compromised F5 BIG-IP and unpatched Confluence leads to Active Directory relay attackMulti-stage Linux intrusion via F5 and Confluence
A threat actor compromised an end-of-life F5 BIG-IP edge appliance and pivoted to an internal Linux host via SSH. From there, they exploited an unpatched Atlassian Confluence server to gain code execution and used relay-style authentication attacks against Active Directory. The incident highlights risks from unpatched edge devices and SaaS applications enabling lateral movement to identity systems.
2026-05-21
research poc
AMSI Bypass in Windows Scripting Host by Renaming WSCRIPT.EXE to AMSI.DLLAMSI.DLL Hijack via Executable Rename
A researcher demonstrated a method to disable the Antimalware Scan Interface (AMSI) in Windows Scripting Host (WSH) without admin privileges or registry changes. By copying WSCRIPT.EXE to AMSI.DLL and executing it, the scripting engine loads the renamed executable instead of the real AMSI.DLL, causing AMSI initialization to fail silently while scripts continue to run uninspected.
2026-05-21
vuln disclosure
Microsoft patches zero-day privilege escalation in Malware Protection Engine (mpengine.dll)CVE-2026-41091
Microsoft disclosed and patched a zero-day privilege escalation vulnerability, CVE-2026-41091, in the Microsoft Malware Protection Engine (mpengine.dll). The flaw affects multiple endpoint security products including Microsoft Defender and System Center Endpoint Protection. It was exploited in the wild before a patch was available.
2026-05-21
incident
The Gentlemen Ransomware Incidents with Defense Evasion via Event Log Clearing and Defender TamperingThe Gentlemen Ransomware
Huntress investigated two incidents in April and May 2026 involving The Gentlemen ransomware-as-a-service operation. In both cases, attackers cleared Security, System, and Application Event Logs and used PowerShell to disable Microsoft Defender and add antivirus exclusions. A leak of the operation's internal chats revealed additional evasion tools and techniques.
2026-05-20
incident
Fox Tempest Malware-Signing Service Abused Microsoft Artifact Signing to Certify MalwareFox Tempest Malware-Signing Abuse
The Fox Tempest malware-signing service exploited Microsoft's Artifact Signing infrastructure to digitally sign malicious code. This allowed attackers to bypass endpoint security defenses that trust Microsoft-signed binaries. The incident highlights a novel abuse of trusted code-signing mechanisms to evade detection.
2026-05-19
research poc
Micro-Stager: ETW TI Evasion via NtContinue in Managed EnvironmentsMicro-Stager
FORTiSEC researchers developed 'Micro-Stager', a technique to evade ETW Threat Intelligence telemetry by leveraging the NtContinue API to set hardware breakpoints without triggering kernel sensors. The method bypasses the CLR crash that occurs when calling NtContinue directly from managed code like PowerShell, enabling stealthy endpoint evasion.
2026-05-18
vuln disclosure
Pwn2Own Berlin 2024: 47 Zero-Days Disclosed Across Security ProductsPwn2Own Berlin 2024
At Pwn2Own Berlin 2024, security researchers disclosed 47 previously unknown zero-day vulnerabilities in various endpoint security and enterprise products. The event awarded $1.3 million in bounties, highlighting weaknesses in widely used security tools.
2026-05-18
vuln disclosure
Windows Cloud Filter Driver EoP Regression Vulnerability Resurfaces After 6 YearsCVE-2025-21294
A patched elevation-of-privilege vulnerability in the Windows Cloud Filter driver (cldflt.sys) has reappeared as a working SYSTEM-level exploit due to a regression. The flaw allows attackers to gain SYSTEM privileges, raising concerns about regression vulnerabilities in Windows.
2026-05-18
vuln disclosure
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched SystemsMiniPlasma
MiniPlasma is a newly disclosed zero-day exploit that revives a 2020 vulnerability in the Windows cldflt.sys driver to achieve SYSTEM privilege escalation on fully patched Windows 11 systems as of May 2026. The technique bypasses existing patches, posing a risk to endpoint security by enabling attackers to gain elevated privileges.
2026-05-16
research poc
AI-Assisted Development of PowerShell AMSI Bypass for Signature Evasion TestingAI-Enhanced PowerShell AMSI Bypass
A security researcher used AI to iteratively develop a PowerShell script that bypasses the Antimalware Scan Interface (AMSI) by patching the AmsiScanBuffer function in memory. The AI-assisted workflow demonstrates how attackers can leverage large language models to refine evasion techniques against endpoint detection mechanisms.
2026-05-14
vuln disclosure
Microsoft Patches Exploited UnDefend and RedSun Defender Zero-DaysUnDefend and RedSun Defender zero-days
Microsoft has released patches for two zero-day vulnerabilities in Microsoft Defender, named UnDefend and RedSun, which were publicly disclosed last month. The flaws were actively exploited in the wild before the patch was available.
2026-05-13
vuln disclosure
Microsoft Defender Flaws Patched, BitLocker Bypass EmergesCVE-2025-21211
Microsoft patched multiple vulnerabilities in its Defender security product, addressing flaws that could allow attackers to bypass detection or elevate privileges. Separately, a BitLocker bypass technique was disclosed, potentially enabling attackers to access encrypted data under certain conditions.
2026-05-13
vuln disclosure
Microsoft discloses YellowKey Windows security feature bypass vulnerability CVE-2026-45585 with mitigation guidanceCVE-2026-45585
Microsoft acknowledged a security feature bypass vulnerability in Windows tracked as CVE-2026-45585 and publicly referred to as 'YellowKey'. The flaw is being exploited in the wild, and Microsoft has shared mitigation measures to defend against potential attacks.
2026-05-13
vuln disclosure
Researcher Discloses Two Microsoft Zero-Day Vulnerabilities Including Credential Dumping BypassCVE-2025-25504
A disgruntled researcher publicly released two zero-day vulnerabilities affecting Microsoft products. One flaw allows credential dumping from the LSASS process while bypassing Microsoft Defender for Endpoint detection. The disclosure raises concerns about increased risk of credential theft on compromised endpoints.
2026-05-13
incident
Entra ID Phantom Device Registration and PRT Bypass Enables Full Tenant CompromisePhantom Device + PRT Bypass
A red team engagement demonstrated a five-step attack chain against Microsoft Entra ID, starting from a single set of valid credentials blocked by Conditional Access. By exploiting gaps in Device Registration Service, phantom device registration, and Intune compliance evaluation, attackers achieved Global Administrator access without touching a corporate endpoint or deploying malware. The technique has been observed in the wild by the Storm-2372 APT group.
2026-05-13
vuln disclosure
CISA adds Microsoft Defender CVE-2023-36010 to Known Exploited Vulnerabilities catalogCVE-2023-36010
CISA added CVE-2023-36010, a denial-of-service vulnerability in Microsoft Defender, to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. The flaw allows an attacker to cause a denial of service on affected systems. This highlights the risk of vulnerabilities within endpoint security agents themselves.
2026-05-12
research poc
YellowKey exploit bypasses BitLocker encryption using USB key filesYellowKey
Security researchers demonstrated YellowKey, a zero-day exploit that decrypts Microsoft BitLocker-protected drives by placing specific files on a USB stick, bypassing the need for the recovery key or password. The attack requires physical access and leverages an apparent backdoor in the BitLocker implementation. A second zero-day, GreenPlasma, enables local privilege escalation.
2026-05-11
incident
EtherRat and TukTuk Malware Lead to The Gentleman Ransomware DeploymentEtherRat and TukTuk C2 leading to The Gentleman Ransomware
An intrusion began with a malicious MSI masquerading as Sysinternals RAMMap, deploying an EtherRAT variant that used Ethereum blockchain for C2 configuration. The threat actor later deployed TukTuk malware, a new AI-generated framework using SaaS platforms for C2, and ultimately executed The Gentleman ransomware across the domain via GPO after disabling defenses and exfiltrating data.
2026-05-04
research poc
Tenebris-Gate Multi-Layered Evasion Framework Bypasses Windows DefenderTenebris-Gate
Tenebris-Gate is a publicly available multi-layered evasion framework that encrypts and executes shellcode while bypassing Windows Defender detection. It uses compression, encryption, anti-debugging, API hashing, and tampered syscalls to avoid static and dynamic analysis. The tool was effective at the time of writing, having been publicly available for only two weeks.
2026-05-03
incident
Microsoft Defender for Endpoint falsely quarantines DigiCert root certificates as malwareMicrosoft Defender false positive on DigiCert root certificates
Microsoft Defender for Endpoint incorrectly flagged and quarantined legitimate DigiCert root certificates, causing potential disruption to TLS validation and application trust. The incident underscores risks of automated endpoint remediation when security tools misclassify critical system artifacts.
2026-04-28
research poc
PhantomRPC Privilege Escalation Technique in Windows via RPC InterfacesPhantomRPC
A security researcher disclosed a new privilege escalation technique called PhantomRPC that abuses RPC interfaces exposed by Local Service accounts, such as the DHCP Client service, to escalate privileges on Windows systems. No patch is available, and the technique relies on design flaws in RPC server implementations.
2026-04-27
research poc
AI-Driven Variant Analysis Bypasses Defender for Endpoint SAM Hive Extraction DetectionMonth of Bypasses - SAM Hive Extraction Bypass
Persistent Security Research Team launched a 'Month of Bypasses' series, using their Nemesis AI-driven BAS platform to discover a bypass for Microsoft Defender for Endpoint's detection of SAM hive credential dumping (T1003.002). The AI iteratively found a method using WMI to create a shadow copy and a raw disk read to extract the SAM hive, evading behavior monitoring. This demonstrates how AI can systematically find gaps in endpoint detection logic.
2026-04-26
vuln disclosure
Microsoft Entra Agent ID Flaw Enabled Tenant Takeover via Privilege EscalationCVE-2025-21395
A vulnerability in Microsoft Entra ID allowed an attacker to escalate privileges and potentially take over a tenant by abusing Service Principals. The flaw has been fully patched by Microsoft.
2026-04-20
research poc
Beatrice.py Tool Patches x64 Binaries with Alternative Opcodes to Evade AV and YARA DetectionBeatrice.py
Beatrice.py is a Python tool that modifies machine code in x64 binaries by substituting assembly instructions with functionally equivalent alternative opcodes of the same size. It aims to evade signature-based detection such as YARA rules and some antivirus solutions without altering program behavior. The tool was tested against Windows Defender and Elastic YARA rules in April 2026, showing mixed but often successful evasion for various C2 payloads and tools like Mimikatz.
2026-04-20
vuln disclosure
CVE-2026-32202: Windows Shell Security Feature Bypass Exploited by APT28CVE-2026-32202
A zero-click authentication coercion vulnerability in Windows Shell, tracked as CVE-2026-32202, stems from an incomplete patch for a previous security feature bypass. The vulnerability is actively exploited by Russian APT28 to bypass Defender SmartScreen, enabling malware delivery without user interaction.
2026-04-18
research poc
Research PoC: AMSI Bypass via amsiInitFailed Reflection and Fileless Payload Execution Detected by SysmonAMSI Bypass via amsiInitFailed Reflection
A research analysis demonstrates an AMSI bypass technique using PowerShell reflection to set the amsiInitFailed flag, followed by fileless payload execution via csc.exe. The attack chain was simulated with Atomic Red Team and detected using Sysmon telemetry, highlighting behavioral indicators for defense evasion.
2026-04-17
vuln disclosure
RedSun Zero-Day: Local Privilege Escalation via Microsoft Defender Race ConditionRedSun
On April 16, 2026, exploit developer Nightmare-Eclipse published RedSun, a working local privilege escalation exploit for Windows. RedSun abuses a race condition in Microsoft Defender's real-time scanning to write an attacker-controlled binary to System32, achieving SYSTEM privileges. The exploit is unpatched and has been observed in the wild.
2026-04-14
incident
JDownloader Supply-Chain Attack Deploys r77 Rootkit and WDAC Policy to Disable AntivirusJDownloader Supply-Chain Attack with r77 Rootkit and WDAC Policy
Attackers compromised the official JDownloader website and replaced download links with trojanized installers. The malicious installer deploys a Python bot, an r77 rootkit, and a WDAC policy that blocks 50 security executables from running, effectively killing antivirus protection. The attack uses dead-drop resolvers for resilient C2 communication.
2026-04-07
vuln disclosure
BlueHammer Windows Zero-Day Exploits Defender Update Process for Privilege EscalationBlueHammer
BlueHammer is a disclosed Windows zero-day vulnerability that leverages the Microsoft Defender update mechanism to achieve privilege escalation. The exploit remains unpatched at the time of reporting, posing a risk to systems relying on Defender. Technical details were published by Howler Cell.
2026-03-29
research poc
Windows Defender Bypass Demonstrated Using Rust PELoaderRust PELoader Defender Bypass
A proof-of-concept demonstrates bypassing Windows Defender by loading a PE file directly from memory using a Rust-based loader, avoiding disk writes. The technique highlights a detection gap in file-scanning approaches and emphasizes the need for memory-based detection.
2026-03-26
research poc
PoC Tool Uses BYOVD to Disable Driver Signature Enforcement via Kernel Memory PatchingBYOVD-DSE-Bypass
A proof-of-concept tool exploits a vulnerable signed Gigabyte driver (gdrv.sys) to gain kernel read/write primitives and patch ci.dll!g_CiOptions in memory, disabling Driver Signature Enforcement (DSE) on Windows. This allows loading unsigned kernel drivers, undermining a core OS security mechanism. The technique requires administrator privileges and specific system configurations (Secure Boot and HVCI disabled).
2026-03-24
incident
HwAudKiller BYOVD Campaign Exploits Huawei Audio Driver to Terminate EDR ProcessesHwAudKiller
A malvertising campaign since January 2026 uses fraudulent Google ads to deliver a kernel-mode EDR terminator named HwAudKiller. It exploits a previously undocumented vulnerability in the signed Huawei driver HWAuidoOs2Ec.sys to terminate 23 security products from ring-0, bypassing user-mode protections. The campaign has compromised over 60 victims, enabling credential theft and lateral movement.
2026-03-19
incident
Qilin and Warlock Ransomware Industrialize BYOVD EDR-Killer AttacksBYOVD EDR-Killer
Qilin and Warlock ransomware operations have adopted a kernel-level attack chain using Bring Your Own Vulnerable Driver (BYOVD) to disable over 300 endpoint security products before encryption. The technique abuses legitimately signed but vulnerable drivers to gain Ring 0 access, unregister EDR callbacks, and terminate security processes, leaving endpoints blind. Research from Cisco Talos and Trend Micro in April 2026 confirms the industrial scale of these attacks.
2026-03-13
incident
Stryker Manufacturing and Shipping Disrupted by Handala CyberattackHandala Intune Wiper Attack
Medtech company Stryker suffered a cyberattack claimed by Iran-linked group Handala, disrupting order processing, manufacturing, and shipping. The attack abused Microsoft Intune to push remote wipe commands to endpoints, bypassing traditional endpoint security. Stryker stated the incident is contained to its internal Microsoft environment with no malware or ransomware detected.
2026-03-08
research poc
Windows Defender Execution Folder Hijack via Symbolic LinkFolder Redirect Technique
A researcher demonstrated a technique to hijack Windows Defender's execution folder by creating a symbolic link with a higher version number in the Platform directory. After reboot, Defender runs from an attacker-controlled folder, enabling DLL sideloading or service disruption. This bypasses Defender's self-protection without requiring vulnerable drivers.
2026-03-05
research poc
New AMSI Bypass Tool with Multi-Layer Obfuscation ReleasedAMSIBypass
A new open-source tool named AMSIBypass has been released, implementing six different AMSI bypass techniques with randomized, multi-layer obfuscation to evade signature-based detection. The tool is designed for authorized security testing and can automatically test payloads until a working bypass is found, then inject it into a new PowerShell session.
2026-02-27
research poc
PoC Tool Disables Windows Defender and Sysmon via ACL Deny Entries on kernel32.dlldefender-acl-blocker
A proof-of-concept tool named defender-acl-blocker modifies ACLs on kernel32.dll to add Deny ACEs for Windows Defender and Sysmon service identities, preventing them from starting after reboot. The technique requires administrator privileges and leaves minimal telemetry, with detection possible via Windows Security Event ID 4670.
2026-02-24
research poc
Doppelganger LSASS Cloning Technique Evades EDR ProtectionsDoppelganger
Security researcher Andrea Varischio developed Doppelganger, a proof-of-concept tool that clones the LSASS process to extract credentials without touching the protected original. The technique bypasses EDR hooks, PPL, and monitoring by operating on a copy, leveraging BYOVD to disable PPL in kernel memory. This matters because it demonstrates a novel evasion method against modern EDRs that protect LSASS.
2026-02-19
research poc
Research Demonstrates Windows Defender Evasion via PPL ManipulationPPL-Manipulation-Defender-Evasion
A research proof-of-concept shows that elevating a user-mode process to WinTcb-Light protection level via a kernel driver can prevent Microsoft Defender from terminating or remediating it, despite detection telemetry. The technique exploits the PPL signer hierarchy where WinTcb (level 6) outranks Antimalware (level 3). It is not a reliable bypass due to driver signing requirements and PatchGuard.
2026-02-18
vuln disclosure
CVE-2022-23278: Microsoft Defender for Endpoint EDR Sensor Spoofing VulnerabilityCVE-2022-23278
CVE-2022-23278 is a spoofing vulnerability in Microsoft Defender for Endpoint's EDR sensor that could allow network-based attackers to manipulate security telemetry or impersonate trusted components. The flaw affects Windows, Linux, macOS, and Android endpoints, requiring no user interaction or privileges but with high attack complexity. Successful exploitation could undermine endpoint detection integrity across heterogeneous environments.
2026-02-10
research poc
BusterCall: HVCI Bypass via PFN Swapping to Modify Read-Only Kernel Code PagesBusterCall
BusterCall is a proof-of-concept tool demonstrating a technique to bypass Windows Hypervisor-protected Code Integrity (HVCI) by manipulating Page Frame Numbers (PFNs) in page table entries. It enables arbitrary kernel function calls from user mode on HVCI-enabled systems by hijacking the System Service Descriptor Table (SSDT) through PFN swapping. The technique exploits the fact that HVCI validates page attributes rather than physical content, allowing an attacker to redirect a read-only code page to a modified copy on a writable donor page.
2026-01-28
research poc
Bloo Research Demonstrates Windows Defender Bypass Using XOR-Encrypted Metasploit Shellcode and Custom LoaderMSFDefender
Bloo's TRI team executed a research project to evaluate Windows Defender's detection of Metasploit payloads. They found that directly generated EXE payloads were blocked, but by exporting raw shellcode, applying XOR encryption, and using a custom C loader, they bypassed Defender's real-time protection and static scanning. The research also explored the Script Web Delivery module for fileless execution.
2026-01-13
research poc
AMSI Bypass Using Reflection Techniques Remains Effective Against Modern AV/EDR in 2025AMSI Bypass via Reflection
Researchers demonstrated a proof-of-concept AMSI bypass using reflection techniques that successfully evaded modern antivirus and EDR solutions. The method manipulates the AMSI runtime to disable script content scanning, allowing malicious code execution. The bypass is expected to remain effective until Microsoft implements deeper reflection monitoring.
2026-01-11
research poc
EDRStartupHinder: Bindlink API Abuse to Block EDR Startup via DLL RedirectionEDRStartupHinder
A proof-of-concept tool, EDRStartupHinder, uses the Windows Bindlink API to redirect a critical DLL loaded by an EDR service to a corrupted copy, causing the EDR process to terminate itself due to Protected Process Light (PPL) restrictions. The technique targets the EDR before it fully starts by running as a higher-priority service, effectively preventing endpoint protection from loading.
2026-01-10
research poc
AMSI Bypass via HAMSICONTEXT Heap Corruption on Windows 11HAMSICONTEXT corruption AMSI bypass
A proof-of-concept demonstrates bypassing the Antimalware Scan Interface (AMSI) by corrupting the HAMSICONTEXT structure in the process heap. The technique locates the 'DotNet' appName string and its associated HAMSICONTEXT pointer via heap walking, then overwrites the context with zeros, disabling AMSI scanning for the process. This method is confirmed to work on Windows 11.
2025-12-28
research poc
Windows Defender Bypass Using Alternate Data Stream Shellcode LoaderShellcode-Loader-with-ADS
A proof-of-concept demonstrates bypassing Windows Defender by storing raw shellcode in an NTFS Alternate Data Stream (ADS) attached to a legitimate file. The loader reads and executes the shellcode from the ADS, evading static detection because Defender scans only the primary file stream. This technique reduces on-disk footprint and complicates forensic analysis.
2025-12-28
research poc
Research Demonstrates Bypass of Microsoft Defender for Endpoint AMSI ProviderMDE AMSI Provider Bypass
A security researcher published a proof-of-concept bypass for the AMSI provider in Microsoft Defender for Endpoint. The technique prevents MDE's AMSI integration from scanning script content, potentially allowing malicious scripts to evade detection. This matters because AMSI is a key defense layer against script-based attacks.
2025-12-05
research poc
Research PoC: Smart Malware Loader Evades Windows Defender via Environment AnalysisSmart Malware Loader with Environment Analysis
A researcher developed a proof-of-concept malware loader that dynamically analyzes its environment to evade Windows Defender detection and establish command and control. The loader uses techniques like process injection and API unhooking to bypass real-time protection. This demonstrates a method to circumvent endpoint security without exploiting a specific CVE.
2025-12-02
research poc
Windows Defender Bypass via Steganographic Meterpreter Payload in JPGSteganography-based Meterpreter payload in JPG
A proof-of-concept demonstrates bypassing Windows Defender real-time protection by embedding a Meterpreter reverse shell payload inside a JPG file. The payload executes undetected, establishing a reverse shell to a Kali Linux attacker. The technique relies on steganography to hide the malicious code from static and dynamic analysis.
2025-11-17
research poc
SilentButDeadly: WFP-Based Network Blocker Evades EDR and AVSilentButDeadly
A new proof-of-concept tool, SilentButDeadly, uses Windows Filtering Platform (WFP) dynamic sessions to block network communication of EDR and AV processes, neutralizing their cloud-dependent security functions. It requires administrator privileges and targets processes like SentinelOne and Windows Defender, preventing telemetry, updates, and remote management. The technique minimizes forensic artifacts by cleaning up filters on exit.
2025-11-14
research poc
EfiGuard Bootkit Disables Windows PatchGuard and Driver Signature EnforcementEfiGuard
EfiGuard is an open-source UEFI bootkit that patches the Windows kernel during boot to disable PatchGuard and Driver Signature Enforcement (DSE). It operates before the OS loads, allowing unsigned drivers and kernel modifications without triggering security checks. This demonstrates a persistent, pre-OS attack vector against endpoint security mechanisms.
2025-11-14
research poc
Rust-Based AMSI Memory Patching Technique DemonstratedAMSI Memory Patching via Rust
A red teamer demonstrates patching the AmsiScanBuffer function in memory using Rust to bypass Windows Antimalware Scan Interface (AMSI). The technique loads amsi.dll, locates AmsiScanBuffer, and overwrites its instructions to always return AMSI_RESULT_CLEAN, effectively disabling script content scanning. This allows execution of malicious PowerShell scripts without detection by AMSI-integrated security products.
2025-11-14
incident
RONINGLOADER Campaign Uses Signed Drivers to Disable Microsoft Defender and Bypass EDRRONINGLOADER
Elastic Security Labs discovered a campaign by Dragon Breath APT using a loader called RONINGLOADER that abuses signed kernel drivers to disable Microsoft Defender and other endpoint security products. The malware employs multi-stage evasion including PPL abuse, custom WDAC policies, and process termination to deploy the gh0st RAT. This represents an escalation in APT capabilities for neutralizing security tools.
2025-11-13
research poc
Researcher Demonstrates Physical Bypass of Windows Tamper ProtectionWindows Tamper Protection Physical Bypass
A penetration tester discovered a method to disable Windows Tamper Protection with physical access, enabling remote code execution via a C2 connection. The finding highlights that physical access can undermine a key defense designed to prevent automated tampering of Microsoft Defender settings. The researcher is coordinating responsible disclosure with Microsoft and has not released technical details.
2025-11-10
research poc
KVC Framework Released for Kernel-Level Security Research and EDR EvasionKVC
The KVC (Kernel Vulnerability Capabilities) framework was published as an open-source tool for Windows security research. It enables unsigned driver loading via DSE bypass and manipulation of process protections to dump LSASS memory, even on systems with HVCI/VBS enabled. The tool is intended for authorized penetration testing and education.
2025-11-07
research poc
Windows DSE Bypass Framework Demonstrates Kernel Code Integrity Callback PatchingKernelResearchKit
A publicly released research framework demonstrates a method to bypass Driver Signature Enforcement (DSE) on Windows 10 and 11 by surgically patching SeCiCallbacks in the kernel. The tool includes a boot-time native application and a runtime loader, enabling loading of unsigned drivers. This proof-of-concept highlights a persistent attack surface in kernel code integrity mechanisms.
2025-11-01
research poc
EDR-Redir V2 Uses Bind Links to Redirect EDR Parent FoldersEDR-Redir V2
A new technique, EDR-Redir V2, leverages Windows bind links to redirect the parent folder (e.g., Program Files) of an EDR's operating directory, bypassing folder protections. This allows an attacker to perform DLL hijacking by placing malicious files in a controlled location that the EDR sees as its parent. The method was demonstrated against Windows Defender on Windows 11 and is expected to work against many EDR solutions.
2025-10-17
research poc
Analysis of .NET AMSI and ETW bypass techniques in malware loadersAMSI bypass via in-memory patching of AmsiScanBuffer and EtwEventWrite
Researchers analyzed 59 .NET malware samples that implement AMSI and ETW bypasses by patching in-memory functions. The samples overwrite AmsiScanBuffer to return E_INVALIDARG or zero out buffer length, and patch EtwEventWrite to disable event tracing. These techniques allow loaders to execute malicious payloads undetected by security tools.
2025-10-15
vuln disclosure
CVE-2025-59497: TOCTOU Race Condition in Microsoft Defender for Endpoint on LinuxCVE-2025-59497
Microsoft disclosed CVE-2025-59497, a time-of-check time-of-use (TOCTOU) race condition in the Defender for Endpoint Linux agent. A local attacker with low privileges can trigger a denial-of-service condition, potentially disabling real-time protection and telemetry. A security update was released on October 14, 2025.
2025-10-14
vuln disclosure
CVE-2025-55330: BitLocker Security Feature Bypass via Physical AccessCVE-2025-55330
Microsoft disclosed CVE-2025-55330, a BitLocker security feature bypass that allows an attacker with physical access to circumvent encryption protections by manipulating boot-time decision logic. The vulnerability has a CVSS score of 6.1 (Medium) and is addressed by vendor updates. Exploitation does not break AES but targets improper enforcement of behavioral workflow during boot or recovery.
2025-10-10
vuln disclosure
Authentication Bypass in Microsoft Defender for Endpoint Cloud Communication Allows Command HijackingMicrosoft Defender for Endpoint Cloud Communication Authentication Bypass
Researchers discovered that Microsoft Defender for Endpoint's cloud backend does not validate authentication tokens on several endpoints, allowing an attacker with a machine ID and tenant ID to hijack incident response commands. This enables interception of commands like host isolation, spoofing of responses, and planting malicious files in investigation packages. Microsoft classified the issue as low severity and has not committed to a fix.
2025-10-01
research poc
Research PoC: Bypassing Windows Defender with AES-Encrypted ShellcodeAES-encrypted msfvenom payload bypassing Windows Defender
A security researcher demonstrates a simple method to evade Windows Defender detection by encrypting a msfvenom-generated payload with AES-256-CBC. The technique involves generating a random key and IV, encrypting the shellcode, and then decrypting it at runtime before injection. This bypasses static signature-based detection without requiring advanced evasion like indirect syscalls or IAT obfuscation.
2025-09-29
incident
Attackers Use Malicious WDAC Policies to Disable EDR AgentsWDAC Bypass
Cybercriminals are deploying malicious Windows Defender Application Control (WDAC) policies to block EDR executables, drivers, and services, effectively disabling endpoint detection. The technique, previously a proof-of-concept called Krueger, is now used in active malware like DreamDemon, targeting EDR products including CrowdStrike and Microsoft Defender for Endpoint. This bypass undermines the detect-and-respond model by blinding sensors before they initialize.
2025-09-23
research poc
In-Memory PE Loader Demonstrates EDR Bypass via Dynamic ExecutionIn-Memory PE Loader
A proof-of-concept demonstrates an in-memory PE loader that downloads and executes a portable executable (e.g., putty.exe, EDRSilencer, Mimikatz) within an already-approved process, avoiding disk writes and evading detection by EDR solutions like Microsoft Defender XDR and Sophos XDR. The technique leverages dynamic execution to load malicious tools into a trusted process context, reducing EDR alerts.
2025-08-28
incident
Silver Fox APT Exploits Microsoft-Signed WatchDog Driver to Terminate EDR ProcessesSilver Fox BYOVD campaign
Check Point Research uncovered an ongoing campaign by the Silver Fox APT group exploiting a previously unknown vulnerable Microsoft-signed WatchDog Antimalware driver to terminate protected endpoint processes on fully updated Windows systems. The attackers used a dual-driver strategy for compatibility and adapted after a patch by modifying the driver to bypass blocklists while preserving its valid signature. The campaign delivers ValleyRAT as the final payload, highlighting the weaponization of signed-but-vulnerable drivers to evade endpoint protection.
2025-08-28
research poc
WDAC Policies Used to Disable EDR Agents in the WildWDAC-EDR-Block
Research details how Windows Defender Application Control (WDAC) policies are being used by threat actors to block endpoint detection and response (EDR) agents. Multiple malware families, including Krueger and a new variant named DreamDemon, have been observed deploying WDAC policies that prevent EDR components from loading. The technique remains effective against many EDR products, with limited preventive capabilities from vendors.
2025-08-24
research poc
DSEclipse: UEFI Bootkit Patches Driver Signature Enforcement in Under 1 KBDSEclipse
A researcher released DSEclipse, a proof-of-concept UEFI bootkit written in x64 assembly that patches Windows Driver Signature Enforcement (DSE) at boot to allow loading unsigned drivers. The bootkit is only 976 bytes, supports HVCI, and leaves minimal traces. This demonstrates a technique to bypass a key Windows security mechanism before the OS initializes.
2025-08-14
research poc
Proof-of-Concept Tool Bypasses Chrome App-Bound Encryption to Extract Browser SecretsChrome-App-Bound-Encryption-Bypass
A publicly released proof-of-concept tool demonstrates in-memory bypass of Chromium's App-Bound Encryption (ABE) to extract cookies, passwords, browsing history, autofill data, and payment information from Chrome, Brave, and Edge without admin privileges. The tool uses direct syscall-based reflective process hollowing to evade endpoint defenses and operates filelessly. It highlights a technique that could be adopted by attackers to steal sensitive browser data.
2025-08-07
incident
HeartCrypt Packer-as-a-Service Used by Multiple Ransomware Groups to Disable Endpoint SecurityHeartCrypt
Sophos X-Ops uncovered HeartCrypt, a packer-as-a-service derived from EDRKillShifter, being used by at least eight ransomware groups to disable EDR and AV products before deploying ransomware. The tool injects malicious code into signed executables and uses BYOVD to load a kernel driver that terminates security processes. This represents a significant escalation in ransomware tactics through cybercrime-as-a-service.
2025-08-06
research poc
Research Evaluates Four Evasion Techniques Against Microsoft Defender for Endpoint and Cloud AIAdvanced Evasion Techniques Against Microsoft EDR
A research paper tested four advanced evasion techniques against Microsoft Defender for Endpoint and its cloud-based AI/ML protection. The techniques included Early Cryo Bird injection, direct syscalls with encrypted shellcode, ZigStrike injection, and a covert C2 channel via browser native messaging. Results showed that while some techniques bypassed EDR, cloud AI detection caught most, except for the ZigStrike XLL and native messaging C2 methods.
2025-07-28
research poc
XWorm V6 Introduces Advanced Evasion and AMSI Bypass TechniquesXWorm V6 AMSI Bypass
Netskope Threat Labs analyzed XWorm V6.0, revealing new evasion features including AMSI bypass, stealthy delivery, and anti-analysis capabilities. This version enhances the malware's ability to avoid detection by endpoint security products.
2025-07-23
research poc
Public Proof-of-Concept AMSI Bypass Scripts Published on GitHubAMSI-Bypass-Matthew-Holt
A GitHub repository named 'AMSI-Bypasses' by Matthew-Holt was published containing two PowerShell scripts that demonstrate techniques to bypass the Antimalware Scan Interface (AMSI). The first script uses an in-memory patch of the AmsiScanBuffer function, while the second is a basic reverse shell. This provides attackers with ready-to-use methods to evade endpoint detection.
2025-07-14
research poc
Defendnot: Fake Antivirus Tool Disables Microsoft Defender via WSC APIDefendnot
Defendnot is a proof-of-concept tool that registers a fake antivirus using the Windows Security Center API to disable Microsoft Defender. It injects a stub DLL into a trusted signed process (Taskmgr.exe) to bypass integrity checks. The tool requires administrator rights and leaves the device unprotected.
2025-07-13
research poc
PhantomLoad: Stealthy Fileless Shellcode Loader with EDR/AV Evasion ReleasedPhantomLoad
PhantomLoad is a newly released open-source, fileless shellcode loader designed for red team operations. It implements multiple evasion techniques including syscall unhooking, ETW patching, AMSI bypass, and PPID spoofing to bypass endpoint security products. The tool supports payloads from Cobalt Strike, Meterpreter, and BruteRatel, and is explicitly stated to bypass Defender, CrowdStrike, and SentinelOne.
2025-06-25
research poc
Research Demonstrates Multi-Layered Techniques to Bypass Windows Defender for Metasploit PayloadsMetasploit Defender Bypass Techniques
A research article details multiple techniques to execute Metasploit Meterpreter payloads on a fully patched Windows 11 system with Defender enabled. The methods include remote mapping injection, AMSI bypass, sandbox evasion via delayed execution, PPID spoofing, and Defender exclusion abuse. These techniques exploit Windows API quirks rather than vulnerabilities, highlighting the need for layered endpoint defenses.
2025-06-24
research poc
TrampoLatte: Proof-of-Concept AMSI and ETW Bypass Using Trampoline HookingTrampoLatte
A proof-of-concept tool named TrampoLatte demonstrates bypassing AMSI and ETW by using trampoline hooks to alter function execution. It hooks AmsiScanBuffer to always return AMSI_RESULT_CLEAN and hooks EtwpEventWriteFull to return immediately, preventing detection. This technique could allow malicious code to evade endpoint security monitoring.
2025-06-19
research poc
Signature Kid Tool Demonstrates Digital Signature Spoofing to Bypass Kernel-Mode ProtectionsSignature Kid
Security researcher David Lee released a proof-of-concept tool called Signature Kid that spoofs digital signatures on PE files. The tool copies a valid signature from a signed file to an unsigned one and manipulates registry keys to bypass Windows signature validation. This allows attackers to load malicious DLLs into protected processes, evading EDR, anti-cheat, and kernel-mode callbacks.
2025-06-15
research poc
Open-source tool DefenderControlV2 permanently disables Microsoft Defender on Windows 10/11DefenderControlV2
DefenderControlV2 is an open-source C++ tool that permanently disables Microsoft Defender by gaining TrustedInstaller privileges, stopping services, disabling tamper protection, and modifying registry and WMI settings. It is a fork of defender-control with improved error handling and additional features like removing Defender files and handling WdFilter. The tool is tested on Windows 10 22H2 and Windows 11 24H2.
2025-06-13
research poc
Kernel-Level LSA Protection Bypass Enables LSASS Credential DumpingLSA Protection Bypass via EPROCESS Manipulation
This article details a kernel-level technique to bypass Windows LSA Protection by directly manipulating the EPROCESS structure's Protection field using WinDbg or custom tools, allowing Mimikatz to dump credentials from LSASS. The method requires kernel access and demonstrates that LSA Protection is ineffective against attackers with such privileges. It serves as a proof-of-concept for red teams and highlights detection opportunities for blue teams.
2025-06-12
research poc
MoveEDR: PowerShell script to disable EDRs by moving files at boot via PendingFileRenameOperationsMoveEDR
A PowerShell script called MoveEDR was published that leverages the Windows PendingFileRenameOperations registry key to move or delete EDR files before they start, effectively disabling endpoint detection. It requires local administrator privileges and targets multiple EDR products, including CrowdStrike, Elastic, McAfee, Trellix, Trend Micro, and Windows Defender. The technique is a proof-of-concept demonstrating a built-in Windows mechanism to bypass tamper protection.
2025-06-10
research poc
WDAC Policy Used to Disable Microsoft Defender Real-Time MonitoringWDAC-Defender-Bypass
A researcher demonstrated that an attacker with local administrator privileges can use Windows Defender Application Control (WDAC) to create a deny rule for MsMpEng.exe, disabling Microsoft Defender's real-time protection even on Intune-managed endpoints with Defender for Endpoint. This bypass allows execution of tools like Mimikatz without detection.
2025-06-10
incident
Stealth Falcon APT Exploits Windows WebDAV Zero-Day CVE-2025-33053 in Targeted AttackCVE-2025-33053
The Stealth Falcon APT group exploited a zero-day remote code execution vulnerability (CVE-2025-33053) in Windows WebDAV to target a Turkish defense company. The attack used a malicious .url file to manipulate the working directory of a legitimate Windows diagnostic tool, causing it to execute malware from an attacker-controlled WebDAV server. The campaign deployed a custom implant called Horus Agent for reconnaissance and further payload delivery.
2025-06-06
research poc
Research PoC Demonstrates AMSI Bypass Using Hardware BreakpointsAMSI bypass via hardware breakpoints
A security researcher published a proof-of-concept technique to bypass the Windows Antimalware Scan Interface (AMSI) by setting hardware breakpoints on the AmsiScanBuffer function. The method manipulates memory to prevent AMSI from scanning malicious content, though it is limited by the number of available hardware breakpoints and may be unstable across platforms. This technique highlights a potential evasion method that could be used to circumvent endpoint detection mechanisms.
2025-06-03
research poc
Researchers Demonstrate AMSI Bypass by Preventing amsi.dll LoadAMSI Pre-Loading Prevention
Security researchers Itay Yashar and Omer Golan published a proof-of-concept technique that prevents the Windows Antimalware Scan Interface (AMSI) DLL from loading into a process, effectively bypassing AMSI-based detection without traditional patching or unhooking. The method leverages Windows process mitigation policies to block amsi.dll loading, achieving stealthy evasion of endpoint security products that rely on AMSI for script and in-memory threat detection.
2025-05-31
vuln disclosure
Microsoft 365 Copilot Zero-Click Prompt Injection Vulnerability 'EchoLeak' DisclosedCVE-2025-32711
Researchers disclosed a critical zero-click vulnerability in Microsoft 365 Copilot that allowed prompt injection via email to exfiltrate sensitive data. The flaw, tracked as CVE-2025-32711, bypassed classifiers and markdown link redaction. Microsoft patched the issue before public disclosure, with no known exploitation.
2025-05-30
incident
Conti Ransomware Gang Leaks Internal EDR Evasion Tier ListConti EDR Tier List Leak
The Conti ransomware group leaked an internal ranking of endpoint detection and response (EDR) products based on their ease of bypass during real-world attacks. The list places Microsoft Defender for Endpoint, McAfee, and Webroot in the lowest tier, while CrowdStrike is ranked highest. The leak highlights that even top-tier EDRs can be evaded, especially when poorly configured, and underscores the importance of defense-in-depth and proper security tool configuration.
2025-05-18
research poc
Public Release of EDR and AV Bypass Arsenal RepositoryBypass-Protection0x00
A GitHub repository named 'Bypass-Protection0x00' was published, aggregating over 30 tools and techniques for evading endpoint security products. It includes proof-of-concept exploits, loaders, and utilities targeting EDR, AV, UEFI, and Windows protections. The collection is intended for security research but lowers the barrier for attackers to adopt advanced evasion methods.
2025-05-16
research poc
Microsoft Signed Debugger CDB Used to Bypass AMSI, CLM, and ETWCDB-AMSI-CLM-ETW-Bypass
A researcher demonstrates using the Microsoft-signed console debugger CDB to bypass AMSI, Constrained Language Mode (CLM), and ETW by scripting memory patches before PowerShell initializes. The technique forces AmsiScanBuffer to return E_INVALIDARG and manipulates SystemPolicy to return None, effectively disabling script scanning and logging. This matters because it uses a trusted, signed Microsoft tool, making it harder for EDRs to detect or block.
2025-05-15
research poc
WDAC Bypass via Exploiting Trusted Electron Applications' V8 EngineBring Your Own Vulnerable Application (BYOVA) WDAC Bypass
Researchers demonstrated a technique to bypass Windows Defender Application Control (WDAC) by exploiting vulnerabilities in trusted, signed Electron applications. The method leverages the V8 JavaScript engine to execute arbitrary code within a whitelisted process, evading WDAC policies. This poses a risk to high-assurance environments relying on WDAC as a core security control.
2025-05-12
research poc
TrollAMSI2: PowerShell AMSI Bypass via JIT Byte Patching and UnInitTrollAMSI2
TrollAMSI2 is a proof-of-concept tool that bypasses PowerShell AMSI by byte-patching the AMSI initialization method in JIT-compiled code, then forcing an UnInit call to prevent proper re-initialization. It offers both a DLL method using HarmonyLib and a PowerShell one-liner, achieving zero detections on VirusTotal at the time of publication.
2025-05-12
vuln disclosure
CVE-2025-26684: Microsoft Defender for Endpoint for Linux Privilege Escalation VulnerabilityCVE-2025-26684
CVE-2025-26684 is a local privilege escalation vulnerability in Microsoft Defender for Endpoint for Linux. It arises from improper validation of file paths, allowing an attacker with existing high privileges to manipulate file operations and gain full control of the system. The vulnerability affects all versions prior to the patch.
2025-04-24
research poc
AMSI Bypass via Hardware Breakpoints Proof-of-Concept ReleasedHBP-Amsi-Bypass
A proof-of-concept technique was published that bypasses the Windows Antimalware Scan Interface (AMSI) by using hardware breakpoints to modify AmsiScanBuffer behavior at runtime. The method avoids patching AMSI DLLs on disk and leverages CPU debug registers for stealthy memory modification. This demonstrates a novel evasion approach against endpoint security products relying on AMSI.
2025-04-15
research poc
PatchedCLRLoader: .NET Assembly Loader with AMSI and ETW Patching BypassPatchedCLRLoader
A proof-of-concept tool named PatchedCLRLoader demonstrates loading .NET assemblies while bypassing AMSI and ETW by patching functions in clr.dll and ntdll.dll. It uses direct syscalls and RC4 encryption to evade detection, and was tested successfully against Cortex XDR, Sophos, MDE, and CrowdStrike. The technique specifically patches AmsiScanBuffer in clr.dll and NtTraceEvent to avoid newer Windows Defender protections.
2025-04-08
vuln disclosure
CVE-2025-26678: Windows Defender Application Control Authentication Bypass VulnerabilityCVE-2025-26678
CVE-2025-26678 is an improper access control vulnerability in Windows Defender Application Control (WDAC) on Windows 10 1809 and other versions. It allows a local attacker to bypass WDAC application whitelisting policies without user interaction or elevated privileges, potentially enabling execution of unauthorized code. This undermines a key endpoint security control, posing high risk to confidentiality, integrity, and availability.
2025-03-03
research poc
C++ Tool Patches AMSI in Remote PowerShell Processes to Bypass Malware ScanningAMSIPatching
A publicly released C++ utility named AMSIPatching patches AMSI functions in remote PowerShell processes, causing them to return E_INVALIDARG and effectively disabling AMSI-based malware scanning. The tool requires administrator privileges and works on both 32-bit and 64-bit processes. This demonstrates a specific technique to bypass endpoint security protections that rely on AMSI.
2025-02-28
research poc
Demonstration of EDR Evasion Against Microsoft Defender Using AMSI/ETW Bypass and DNS TunnelingEDR Evasion In Action: Evading Microsoft Defender
A proof-of-concept demonstration shows evasion of Microsoft Defender by downloading malicious code into memory via PowerShell from a trusted GitHub URL, then patching AMSI and ETW to prevent scanning and logging. DNS tunneling is used for C2, and the attack proceeds without Defender alerts, while the Lumu platform detects the anomaly.
2025-02-24
incident
Attackers Bypass Microsoft Driver Blocklist Using Tampered TrueSight.sys DriverLegacy Driver Exploitation via TrueSight.sys Certificate Padding Bypass
In June 2024, threat actors exploited a legacy version of the TrueSight.sys driver (v2.0.2.0) to bypass Microsoft's Vulnerable Driver Blocklist and terminate security processes. They tampered with the driver's WIN_CERTIFICATE padding area to maintain a valid signature, evading certificate verification. This allowed deployment of Gh0stRAT malware and disabling of endpoint defenses.
2025-01-18
research poc
New BYOVD Technique Uses Symbolic Links to Blind EDR by Overwriting Service ExecutablesBYOVD-Symlink-EDR-Blind
A researcher disclosed a method that combines Bring Your Own Vulnerable Driver (BYOVD) with Windows symbolic links to expand the pool of exploitable drivers. The technique leverages any driver with file-writing capability to overwrite EDR user-mode service executables during boot, effectively blinding the EDR. A proof-of-concept demonstrates disabling Microsoft Defender on Windows 11.
2025-01-14
vuln disclosure
CVE-2025-21213: Windows 10 1507 Secure Boot Bypass VulnerabilityCVE-2025-21213
A vulnerability in Windows 10 version 1507 allows bypassing Secure Boot protections. This flaw could enable attackers to load untrusted code during the boot process, undermining endpoint security guarantees.
2024-12-01
research poc
Using Windows Name Resolution Policy Table to Block EDR Agent CommunicationNRPT-based EDR Communication Blocking
A research blog post demonstrates a novel method to block EDR agent communication by manipulating the Windows Name Resolution Policy Table (NRPT). By adding NRPT rules that redirect DNS queries for EDR cloud endpoints to localhost, the agent is unable to resolve its required domains, effectively silencing it. The technique requires administrative privileges and is not limited to Microsoft Defender for Endpoint.
2024-11-21
research poc
New AMSI Bypass Technique Modifies CLR.DLL String in Memory to Evade Detection of Reflective .NET LoadingCLR.DLL AMSI Bypass via String Modification
A new technique bypasses AMSI by modifying the 'AmsiScanBuffer' string in the .rdata section of CLR.DLL in memory, preventing the runtime from passing reflectively loaded .NET modules to the installed AV. This avoids detection of malicious .NET assemblies loaded via Assembly.Load(byte[]). The method exploits the 'fail open' behavior of the CLR loader when AMSI lookup fails.
2024-10-30
research poc
Proof-of-Concept Tool Combines Reflective PE Injection with InstallUtil LOLBAS to Bypass AppLocker and EDRApplockerBypassExternalBinary
A publicly released proof-of-concept tool, ApplockerBypassExternalBinary, demonstrates how to bypass AppLocker and EDR hooks by reflectively loading arbitrary binaries using the InstallUtil LOLBAS. The tool is a fork of SharpReflectivePEInjection, modified to integrate InstallUtil for execution, and includes basic antivirus evasion techniques. It was demonstrated with Ligolo-ng but can be adapted to run any binary.
2024-10-20
research poc
AMSI Bypass via LdrLoadDll Hooking or Hardware BreakpointsAmsiBypass-LdrLoadDll
A proof-of-concept technique bypasses the Antimalware Scan Interface (AMSI) by intercepting the loading of amsi.dll through LdrLoadDll. It uses either hooking or hardware breakpoints to return an 'Access Denied' error, preventing AMSI initialization and thus disabling script content scanning. This matters because AMSI is a key defense against malicious scripts and in-memory threats.
2024-09-25
research poc
Python Script Automates Windows Defender Tamper Protection Bypass via Safe ModeTamperBypass
A publicly available Python script automates booting into Windows Safe Mode to disable Windows Defender services and scheduled tasks, effectively bypassing tamper protection. The technique requires administrator privileges and leverages Safe Mode's reduced security posture to stop Defender components. This demonstrates a practical method for attackers to disable endpoint protection on Windows 10/11 systems.
2024-08-19
incident
Lazarus APT exploited Windows AFD.sys zero-day CVE-2024-38193 for privilege escalationCVE-2024-38193
Microsoft patched CVE-2024-38193, a privilege escalation vulnerability in the Windows Ancillary Function Driver (AFD.sys), which was actively exploited by the North Korea-linked Lazarus APT group. The flaw allowed attackers to gain SYSTEM privileges and was used alongside the FudModule rootkit to bypass security software. This follows Lazarus's earlier exploitation of CVE-2024-21338 in the AppLocker driver for kernel-level access.
2024-08-18
research poc
DseDisabler: Tool to Disable Driver Signature Enforcement via g_CiOptions PatchDseDisabler
DseDisabler is a proof-of-concept tool that disables Windows Driver Signature Enforcement (DSE) by patching the g_CiOptions variable in the kernel. It uses a ring0 driver without IOCTL communication and supports manual mapping. The tool bypasses PatchGuard protection on CI.dll by suggesting methods like loading NoBsodDriver or using EfiGuard.
2024-08-11
research poc
Research: Abusing AV/EDR Exclusions to Evade DetectionAbusing Exclusions To Evade Detection
A security researcher demonstrates how attackers can enumerate and abuse antivirus/EDR exclusion paths, processes, and extensions to bypass detection. The technique leverages built-in exclusion features present in most endpoint security products, creating blind spots that allow malicious activity to go undetected. The research includes a proof-of-concept PowerShell script to enumerate exclusions from Windows Defender operational logs without administrative privileges.
2024-08-06
research poc
Elastic Security Labs Details Bypass Techniques for Windows Smart App Control and SmartScreenSmart App Control Bypass via Reputation Hijacking and Seeding
Elastic Security Labs published research detailing multiple methods to bypass Windows Smart App Control and SmartScreen reputation-based protections. The techniques include signing malware with fraudulently obtained EV certificates, hijacking the reputation of trusted script hosts like Lua and AutoHotkey, and seeding new binaries to gain a benign reputation. These bypasses allow attackers to achieve initial access without triggering security warnings.
2024-08-02
research poc
RustPatchlessCLRLoader: Patchless AMSI and ETW Bypass for .NET Assembly LoadingRustPatchlessCLRLoader
RustPatchlessCLRLoader is a proof-of-concept tool that loads .NET assemblies while bypassing AMSI and ETW using hardware breakpoints instead of memory patching. It was tested against several EDR products and successfully executed without detection, though behavioral detection may still trigger on malicious actions.
2024-07-17
research poc
PwnedBoot: Bypass Secure Boot via Windows Bootloader DLL SideloadingPwnedBoot
Security researcher Samuel Tulach released a proof-of-concept called PwnedBoot that leverages the Windows bootloader to bypass Secure Boot. By replacing the mcupdate_.dll file and booting with Driver Signature Enforcement disabled, arbitrary code executes early in the boot process. This technique could allow attackers to load malicious payloads before the operating system initializes, undermining Secure Boot protections.
2024-07-17
incident
Fin7's AvNeutralizer Tool Enables EDR Tampering for Ransomware GangsAvNeutralizer
SentinelOne reports that the Fin7 threat group has developed and sold a custom tool called AvNeutralizer (aka AuKill) that tampers with endpoint detection and response (EDR) solutions. The tool has been used by multiple ransomware gangs, including AvosLocker, MedusaLocker, BlackCat, and LockBit, since early 2023. AvNeutralizer leverages a previously unseen technique using the Windows TTD monitor driver ProcLaunchMon.sys and a hardened process explorer driver to cause a denial-of-service condition on affected security products.
2024-07-16
incident
Killer Ultra Malware Disables EDR/AV in Ransomware AttacksKiller Ultra
Killer Ultra malware, used in Qilin ransomware attacks, terminates endpoint security tools by exploiting a vulnerable Zemana AntiLogger driver (CVE-2024-1853). It also clears Windows Event Logs and contains inactive post-exploitation capabilities. The malware targets Symantec, Microsoft Defender, and SentinelOne.
2024-06-27
research poc
Using Signed Minifilters to Disable EDR SystemsMinifilter EDR Disable
A security researcher demonstrates a technique to disable EDR systems by loading a custom signed minifilter driver that blocks access to EDR-related files, preventing EDR processes from starting. The method was tested against Microsoft Defender and Elastic EDR, allowing execution of tools like Mimikatz without detection.
2024-06-26
research poc
Signature-Based EDR Bypass Using XOR-Encrypted Shellcode in GoXOR-Encrypted Shellcode Loader
A red team article demonstrates bypassing signature-based detection in Windows Defender and Bitdefender by encrypting Meterpreter shellcode with XOR and executing it via a custom Go loader. The technique evades static signatures by obfuscating the payload, allowing execution on a live system. This highlights a common evasion method that relies on the absence of runtime behavioral detection.
2024-06-22
research poc
GrimResource: Novel MSC File Technique for Initial Access and EvasionGrimResource
Elastic Security Labs discovered a new in-the-wild technique, GrimResource, that uses specially crafted MSC files to execute arbitrary code in Microsoft Management Console (mmc.exe) with minimal warnings. The technique exploits an old XSS vulnerability in apds.dll and combines it with DotNetToJScript to achieve code execution, evading static detection. It was used to deliver Cobalt Strike via a stealthy .NET loader called PASTALOADER.
2024-06-05
research poc
PoC Disables Microsoft Defender Tamper Protection via WdFilter UnloadDisable-TamperProtection
A proof-of-concept tool demonstrates how to disable Microsoft Defender's Tamper Protection and other components by abusing SYSTEM/TrustedInstaller privileges to delete the WdFilter altitude registry key, causing the kernel minidriver to unload. This blinds Microsoft Defender for Endpoint (MDE) telemetry and activity monitoring. The technique affects multiple Windows versions up to certain builds.
2024-05-29
research poc
Proof-of-Concept Tool 'No Defender' Disables Microsoft Defender via WSC API AbuseNo Defender
A GitHub project named 'No Defender' demonstrates a method to disable Microsoft Defender and firewall by abusing the undocumented Windows Security Center (WSC) API. The tool repurposes a signed Avast component to register a null antivirus product, causing Defender to deactivate. It requires administrative privileges and has implications for both legitimate security testing and potential malicious use.
2024-05-29
research poc
SharpC2 .NET Drone Evades Microsoft Defender Using ConfuserEx2 ObfuscationSharpC2 Defender Bypass via ConfuserEx2
Security researchers at dotSec documented a practical method to bypass Microsoft Defender detection for the SharpC2 .NET drone executable. By applying rename-only obfuscation with ConfuserEx2 to the drone.dll and excluding reflection-dependent classes, they achieved a functional bypass of static signatures like BluntC2 and Wacatac ML. The technique highlights the importance of entropy management and minimal evasive features when testing endpoint detection.
2024-05-27
research poc
Dsebler: Reimplementation of KExecDD DSE Bypass TechniqueDsebler
Dsebler is a reimplementation of the KExecDD technique to bypass Driver Signature Enforcement (DSE) on Windows by exploiting the KsecDD kernel module. It allows arbitrary kernel memory write via IOCTL 0x39006f, disabling DSE to load unsigned drivers. This demonstrates a method to undermine a key Windows security feature.
2024-05-27
research poc
Token Protection in Entra ID Conditional Access Bypassed Using Spoofed Device TypeToken Protection Bypass via Device Code Phishing with OS/2 Warp Agent
A security researcher demonstrated a bypass of Microsoft Entra ID's token protection conditional access policy by spoofing the device type during a device code phishing attack. The technique allows an attacker to obtain a valid bearer token and access cloud resources like email, despite token protection being enabled. The bypass highlights that token protection alone is insufficient against external token theft.
2024-05-26
research poc
BOAZ Multilayered AV/EDR Evasion Framework ReleasedBOAZ
BOAZ is a modular evasion framework that combines signature, heuristic, and behavioral bypass techniques to generate undetectable payloads. It was tested against 14 desktop AVs and 7 EDRs, including Sophos, Windows Defender, and ESET. The tool serves as both an evasion testing utility and a packer/obfuscator for researchers.
2024-05-08
research poc
Dirty Vanity EDR Bypass Technique Published as Proof-of-ConceptDirty Vanity
A proof-of-concept repository named DV_NEW combines multiple evasion techniques under the name Dirty Vanity to bypass endpoint detection and response (EDR) systems. It uses direct syscalls, dynamic syscall number resolution, and an egg-hunting technique to patch syscall instructions at runtime, evading user-mode hooks and static analysis. The author claims successful bypass of Bitdefender and Microsoft Defender for Endpoint.
2024-05-04
research poc
Python-based AMSI bypass using opcode scanning and patchingAMSI Opcode Scan Bypass
A proof-of-concept tool demonstrates a lifetime AMSI bypass by locating and patching specific opcode patterns in the AMSI DLL. The technique searches for a sequence of instructions in memory and modifies them to disable AMSI scanning, potentially evading endpoint detection.
2024-05-03
vuln disclosure
AMSI Write Raid Bypass Vulnerability in PowerShellAMSI Write Raid
A vulnerability in PowerShell's System.Management.Automation.dll allows overwriting a writable entry containing the address of AmsiScanBuffer, enabling AMSI bypass without VirtualProtect. Discovered by OffSec trainer Victor Khoury, it affects PowerShell 5.1 and 7.4 on Windows 10/11. Reported to Microsoft on April 8, 2024.
2024-04-26
vuln disclosure
Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2023-24880)CVE-2023-24880
CVE-2023-24880 is a zero-day vulnerability in Windows SmartScreen that allows attackers to bypass Mark of the Web (MOTW) defenses. Exploited in the wild by financially motivated actors to distribute Magniber ransomware via crafted MSI files with invalid Authenticode signatures. The flaw stems from an incomplete fix for CVE-2022-44698.
2024-04-24
incident
CoralRaider Uses Malicious LNK Files to Evade Antivirus and Deliver InfostealersCoralRaider LNK Antivirus Evasion Campaign
The CoralRaider threat group is conducting a campaign using malicious LNK files to evade antivirus detection and deliver infostealer malware. The attack chain leverages PowerShell, HTA files, and FoDHelper.exe to bypass UAC and add Windows Defender exclusions, ultimately deploying CryptBot, LummaC2, or Rhadamanthys payloads.
2024-04-22
vuln disclosure
Microsoft Defender and Kaspersky EDR File Deletion Vulnerabilities DisclosedCVE-2023-24860
SafeBreach researchers disclosed vulnerabilities in Microsoft Defender and Kaspersky EDR that allow attackers to remotely delete legitimate files by inserting malware byte signatures into them, causing false-positive detections. Microsoft issued patches (CVE-2023-24860, CVE-2023-3601) but initial fixes were bypassed, while Kaspersky acknowledged the issue as a design limitation. The flaws highlight risks in signature-based detection and the difficulty of fully mitigating such design-level weaknesses.
2024-04-09
vuln disclosure
CVE-2024-26180: Windows Secure Boot Security Feature Bypass VulnerabilityCVE-2024-26180
A vulnerability in Windows Secure Boot allows attackers with administrative privileges to bypass Secure Boot protections and install persistent bootkits or rootkits. The flaw stems from improper validation of bootloaders, enabling malicious EFI binaries to load despite Secure Boot being enabled. Microsoft released patches and updated blocklists in March 2024 to address the issue.
2024-04-09
vuln disclosure
CVE-2024-21322: Microsoft Defender for IoT Remote Code Execution VulnerabilityCVE-2024-21322
A remote code execution vulnerability was disclosed in Microsoft Defender for IoT. The flaw could allow an attacker to execute arbitrary code on affected systems. No further technical details or exploitation status were provided in the article.
2024-04-05
research poc
FuckDse: BYOVD Proof-of-Concept to Bypass PatchGuard and Driver Signature EnforcementFuckDse
A proof-of-concept repository demonstrates using a Bring Your Own Vulnerable Driver (BYOVD) attack to disable Windows Driver Signature Enforcement (DSE) and PatchGuard. The code targets callbacks in SeValidateImageHeader/Data and includes analysis of PatchGuard's debugger detection logic. This technique could allow loading unsigned or malicious kernel drivers.
2024-04-04
vuln disclosure
Intune Management Extension Command Injection Allows WDAC BypassIntune Management Extension WDAC Bypass
A vulnerability in the Microsoft Intune Management Extension allowed a regular user to bypass Windows Defender Application Control (WDAC) by exploiting a command injection in the -PowerShell parameter. This enabled writing files with Managed Installer trust attributes, effectively bypassing WDAC enforcement. The issue was fixed by removing the vulnerable parameter.
2024-03-21
incident
Turla Deploys TinyTurla-NG Implant with Antivirus Exclusion BypassTinyTurla-NG
Russian espionage group Turla compromised a European NGO, deploying the TinyTurla-NG (TTNG) implant. Attackers first added exclusions to Microsoft Defender to evade detection, then established persistence via a malicious service. They used Chisel for tunneling and lateral movement, repeating the process on new systems.
2024-03-13
incident
ACR Stealer Exploits CVE-2024-21412 to Bypass Microsoft Defender SmartScreenCVE-2024-21412
ACR Stealer, a malware-as-a-service infostealer, is actively exploiting CVE-2024-21412 to bypass Microsoft Defender SmartScreen. The attack chain uses phishing emails with malicious links to WebDAV-hosted internet shortcuts, leading to DLL sideloading and execution of the payload. This allows the malware to steal sensitive information without triggering SmartScreen warnings.
2024-03-12
vuln disclosure
Microsoft Defender Security Feature Bypass Vulnerability CVE-2024-20671CVE-2024-20671
A vulnerability in Microsoft Defender allows local attackers with low privileges to bypass security features due to incorrect default permissions. The flaw has a CVSS score of 5.5 and primarily impacts system availability. Microsoft released a patch on March 12, 2024.
2024-03-07
research poc
BypassX Tool Demonstrates Evasion of AMSI, AppLocker, and Constrained Language ModeBypassX
Security researcher 'vulnableone' released BypassX, a C# tool that bypasses Windows security features AMSI, AppLocker, and Constrained Language Mode (CLM) simultaneously. The tool is intended for penetration testing and security research to identify weaknesses in organizational defenses. It leverages the InstallUtil utility for execution.
2024-03-01
research poc
Aladdin Tool Bypasses WDAC and AppLocker via .NET Remoting DeserializationAladdin
A new tool named Aladdin was released that bypasses Windows Defender Application Control (WDAC) and AppLocker by exploiting a .NET remoting deserialization issue in addinprocess.exe. It combines a known bypass for a 2019 Microsoft patch with a technique to execute arbitrary code, allowing red teamers to run payloads on systems with application control enabled.
2024-02-27
research poc
CSx4Ldr: Cobalt Strike Plugin for Antivirus EvasionCSx4Ldr
CSx4Ldr is a Cobalt Strike plugin that generates beacons designed to evade antivirus detection, specifically bypassing Windows Defender. It is a proof-of-concept tool intended for red team operations and security research.
2024-02-25
research poc
BypassPG: New Method to Bypass Windows Patch GuardBypassPG
A proof-of-concept repository demonstrates a method to bypass Windows Patch Guard by hooking NtCreateFile and NtOpenProcess, tested on Windows 10 22H2. The technique reportedly evades detection by several anti-cheat systems and remains stable without blue screens for nearly a day.
2024-02-07
incident
Raspberry Robin Worm Uses 1-Day Exploits for Local Privilege EscalationCVE-2023-36802
The Raspberry Robin worm has been updated to use two new 1-day local privilege escalation exploits, including one for CVE-2023-36802, before public disclosure. The malware continues to evolve with new evasion techniques and delivery methods, spreading via Discord archives that sideload a malicious DLL using a legitimate Microsoft executable.
2024-02-01
research poc
Practical BitLocker Bypass via TPM Bus Sniffing on Business LaptopsBitLocker TPM Sniffing
Researchers demonstrate a practical, low-cost attack to bypass Microsoft BitLocker's default TPM-only encryption on modern business laptops. By physically sniffing the communication bus between the discrete TPM chip and the CPU, the Volume Master Key (VMK) can be intercepted, allowing decryption of the disk. The attack requires physical access and works against common enterprise devices like Lenovo ThinkPads, HP EliteBooks, and Microsoft Surfaces.
2024-01-21
research poc
AMSI Bypass via Memory Patching of AmsiScanBuffer in 2024AMSI Memory Patch Bypass
A proof-of-concept demonstrates bypassing Microsoft's Anti-Malware Scan Interface (AMSI) by patching the AmsiScanBuffer function in memory to always return AMSI_RESULT_CLEAN. The technique modifies assembly instructions to evade signature-based detection, enabling execution of malicious PowerShell scripts like Mimikatz. This highlights ongoing evasion tactics against endpoint security controls.
2024-01-20
incident
Midnight Blizzard Compromises Microsoft Corporate Systems via Password Spray and OAuth AbuseMidnight Blizzard Microsoft Corporate Breach 2024
Microsoft detected a nation-state attack on its corporate systems on January 12, 2024, attributed to Russian state-sponsored actor Midnight Blizzard (NOBELIUM). The actor gained initial access via password spray on a legacy non-production test tenant without MFA, then abused OAuth applications to move laterally and access email accounts. This incident highlights risks from legacy accounts and OAuth application misuse in cloud environments.
2024-01-19
research poc
Research into Programmatically Disabling Windows Defender Tamper Protection via URI SchemeWindowsDefender-TamperProtection-Bypass-Research
A user on Stack Exchange investigated whether Windows Defender's Tamper Protection can be disabled programmatically using the 'start windowsdefender:' URI scheme, similar to enabling real-time protection. The attempt was unsuccessful, and the discussion highlights that no built-in, documented method exists to disable Tamper Protection from a script without high privileges or third-party tools. This matters because Tamper Protection is a key defense against unauthorized changes to Defender settings by malware or attackers.
2024-01-12
incident
CVE-2023-36025 Exploited in Phemedrone Stealer Campaign for SmartScreen BypassCVE-2023-36025
The Phemedrone Stealer campaign actively exploits CVE-2023-36025, a Windows Defender SmartScreen bypass vulnerability, to deliver malware. Attackers use crafted .url files to evade SmartScreen warnings and execute malicious .cpl files, leading to data theft from browsers, crypto wallets, and messaging apps. The vulnerability was patched in November 2023 but remains exploited in the wild.
2023-12-24
research poc
Researcher Documents Meterpreter Evasion Against EDR Using XOR Encryption and .data SectionMeterpreter EDR Evasion via XOR and .data Section
A red teamer documents their process of evading EDR detection for a Meterpreter payload by applying XOR encryption and storing the encrypted shellcode in the .data section to reduce static signatures. The technique was tested against Sophos XDR Intercept and Microsoft Defender for Endpoint on Windows 11, aiming to run the payload with minimal alerts. The article is part one of a series, focusing on theoretical foundations and initial evasion attempts.
2023-12-06
research poc
Pool Party Process Injection Techniques Bypass Major EDR SolutionsPool Party
SafeBreach researchers presented eight new process injection techniques called Pool Party at Black Hat Europe 2023. These techniques abuse Windows thread pools and worker factories to execute malicious code, achieving 100% bypass against five leading EDR products. The methods are more flexible than existing techniques and fully undetectable in tests.
2023-11-30
research poc
AMSI Bypass via Heap-Based VTable Hook Using ROP Gadget on Windows 11AMSI-Context-VTable-Hook
A proof-of-concept demonstrates bypassing the Antimalware Scan Interface (AMSI) on Windows 11 by hooking the AMSI context's virtual method table (VTable) on the heap using a return-oriented programming (ROP) gadget, avoiding code patches. This technique allows execution of malicious scripts or code without triggering AMSI detection.
2023-11-16
research poc
Evading Windows Defender with MiniDumpWriteDump, Donut, and Process InjectionMiniDumpWriteDump-Donut-Injection
A researcher demonstrates a technique to evade Windows Defender detection when dumping LSASS credentials. The method combines MiniDumpWriteDump with XOR encryption, Donut shellcode generation with AMSI bypass, and process injection into notepad.exe. Windows Defender failed to detect the final payload or its activity.
2023-11-11
research poc
Bring Your Own Reputation (BYOR) Technique Bypasses SmartScreen via Reputable ScriptsBYOR
P.I.V.O.T Security researchers demonstrated a technique called Bring Your Own Reputation (BYOR) that abuses Microsoft SmartScreen's reputation-based trust by sideloading unsigned executables through legitimately-reputed script files (.bat, .cmd, .vbs) containing insecure code paths. This bypasses Mark-of-the-Web (MOTW) and SmartScreen warnings without requiring an EV certificate, and Windows Defender remained silent during the proof-of-concept. The technique highlights that file reputation alone is insufficient for detection, and behavioral monitoring of child processes spawned from script files is necessary.
2023-10-28
research poc
PayloadInResources: AV Bypass via Resource-Stored XOR-Encrypted ShellcodePayloadInResources
A proof-of-concept tool demonstrates antivirus bypass by storing XOR-encrypted shellcode in executable resources and using an unconventional process injection method. It includes a sandbox check based on executable path. The technique was tested against Microsoft Defender and may evade some EDRs.
2023-10-24
research poc
AMSI-Reaper: Open-Source Tool Bypasses Windows AMSI via Memory PatchingAMSI-Reaper
Security researcher h0ru released AMSI-Reaper, a PowerShell and C# tool that bypasses the Windows Antimalware Scan Interface (AMSI) by injecting code into AMSI component memory. The tool demonstrates that AMSI can be disabled in real-time, allowing previously blocked malicious scripts like Invoke-Mimikatz to execute. This proof-of-concept highlights a persistent evasion technique relevant to endpoint security testing.
2023-10-17
vuln disclosure
CSIS Discloses Weakness in Microsoft Defender for Endpoint Allowing Undetected Malicious ActivityMDE Bypass Technique (CSIS)
CSIS Security Group discovered a bypass technique in Microsoft Defender for Endpoint (MDE) during an incident response engagement. The weakness allowed attackers to operate undetected on compromised servers with domain admin privileges. CSIS has reported the issue to Microsoft and will disclose full details after a fix is available.
2023-10-06
research poc
GuardBypassToolkit Demonstrates Windows Defender Bypass via Manual DLL Loading and EAT HookingGuardBypassToolkit
A proof-of-concept tool called GuardBypassToolkit bypasses Windows Defender by manually loading DLLs, parsing the Export Address Table (EAT), and updating the Import Address Table (IAT) with unhooked functions. It includes an LSASS dumper and in-memory Mimikatz execution, using EAT hooking to redirect AmsiScanBuffer to a custom function that always returns clean.
2023-09-27
vuln disclosure
CVE-2022-21894: Secure Boot Security Feature Bypass via truncatememory BCD ElementCVE-2022-21894
A vulnerability in Windows Boot Applications allows an attacker with physical access or administrative privileges to bypass Secure Boot by using the 'truncatememory' BCD element to remove the serialized Secure Boot policy from memory. This enables loading of unsigned or test-signed code, undermining the integrity guarantees of Secure Boot. The issue was patched by Microsoft in January 2022.
2023-09-13
vuln disclosure
ALPC Port Blocking Vulnerability Affects Multiple Windows EDR AgentsCVE-2023-3280
A denial-of-service vulnerability in multiple Windows EDR products allows a low-privileged user to permanently disable the agent after a reboot by preemptively registering an ALPC port name used by the EDR. The affected EDRs fail to handle the case where the port is already in use, causing user-mode components to crash or become non-functional. Kernel components remain running but lose detection/blocking capabilities in most cases.
2023-09-12
vuln disclosure
CVE-2023-38163: Windows Defender ASR Authentication Bypass VulnerabilityCVE-2023-38163
CVE-2023-38163 is a security feature bypass vulnerability in Microsoft Windows Defender Attack Surface Reduction (ASR) rules. It allows an attacker with local access and user interaction to circumvent ASR protections, potentially enabling malicious code execution. The flaw undermines a key endpoint defense layer used to block common attack techniques.
2023-08-28
research poc
DebugAmsi: AMSI Bypass via Windows Process DebuggerDebugAmsi
A proof-of-concept tool named DebugAmsi demonstrates a method to bypass the Antimalware Scan Interface (AMSI) in Windows by using the debugger mechanism. It attaches as a debugger to a suspended PowerShell process, intercepts the loading of amsi.dll, and patches its AmsiOpenSession and AmsiScanBuffer functions to disable AMSI scanning. This technique allows execution of malicious scripts without AMSI detection.
2023-08-21
research poc
Percino: Evasive Golang Loader Using Process Hollowing to Bypass EDRPercino
Percino is an open-source Golang loader that executes shellcode via process hollowing with anti-sandbox and anti-analysis features. It encrypts shellcode with 3DES and claims full EDR bypass, tested against Microsoft Defender for Endpoint with Cobalt Strike.
2023-08-16
research poc
AuKill EDR Killer Malware Technical AnalysisAuKill
A technical analysis of the AuKill malware, which uses a Bring Your Own Vulnerable Driver (BYOVD) technique with the PROCEXP.SYS driver to terminate protected EDR processes. The malware targets solutions like Sophos and Windows Defender, and has been used by ransomware groups including LockBit and Medusa.
2023-08-11
vuln disclosure
Researchers Uncover Remote File Deletion Vulnerabilities in Multiple EDR ProductsEDR Remote File Deletion via Malicious Signature Injection
SafeBreach Labs researchers discovered vulnerabilities in several EDR products that allow remote deletion of critical files and databases without authentication. By inserting minimal malicious signatures into files like web server logs, attackers can trick EDRs into automatically deleting the file, leading to data loss and denial of service. The research was presented at Black Hat USA 2023.
2023-08-09
vuln disclosure
CVE-2023-24934: Windows Defender Update Process Hijack Allows Malware Injection and File DeletionCVE-2023-24934
Researchers at SafeBreach discovered a security feature bypass vulnerability in Microsoft Defender's signature update process, tracked as CVE-2023-24934. The flaw allows an unprivileged user to hijack the update mechanism to inject malware, delete benign files, or remove threat signatures. Microsoft patched the vulnerability in April 2023.
2023-08-08
research poc
Researcher Develops Undetectable Ransomware Using Microsoft OneDriveClouded OneDrive Ransomware
A SafeBreach researcher created a proof-of-concept ransomware that encrypts files on a victim's endpoint by abusing Microsoft OneDrive's sync functionality, without executing malicious code locally. The technique leverages stolen OneDrive access tokens and junction points to manipulate files remotely, evading standard endpoint security detection.
2023-07-19
research poc
AMSI Bypass via AmsiOpenSession and AmsiScanBuffer Patching on Windows 11Amsi_Bypass_In_2023
A proof-of-concept repository demonstrates two methods to bypass the Antimalware Scan Interface (AMSI) on Windows 11 by patching AmsiOpenSession and AmsiScanBuffer functions in memory. The AmsiScanBuffer patch successfully evades detection for Assembly.Load() calls, while the AmsiOpenSession patch does not. This highlights a persistent evasion technique against Microsoft's AMSI.
2023-07-11
incident
Storm-0978 Phishing Campaign Exploits CVE-2023-36884 for Espionage and RansomwareCVE-2023-36884
Microsoft identified a phishing campaign by Russian threat actor Storm-0978 targeting defense and government entities in Europe and North America. The campaign exploited CVE-2023-36884, a remote code execution vulnerability in Microsoft Word, to deliver a backdoor similar to RomCom. The actor also conducts financially motivated ransomware attacks using Underground ransomware, a rebrand of Industrial Spy.
2023-07-11
vuln disclosure
CVE-2023-36874: Windows Error Reporting Elevation of Privilege VulnerabilityCVE-2023-36874
CVE-2023-36874 is a local privilege escalation vulnerability in the Windows Error Reporting (WER) service. An attacker with low-level user access can exploit this flaw to gain SYSTEM privileges, enabling full system compromise. The vulnerability is actively exploited in the wild and listed in CISA's Known Exploited Vulnerabilities catalog.
2023-06-07
research poc
Researcher Demonstrates Custom Process Unhooking Technique to Bypass Windows DefenderCustom Process Unhooking Bypass
A security researcher published a proof-of-concept demonstrating a custom process unhooking technique that bypasses Windows Defender on fully updated Windows 11. The method removes security hooks from loaded DLLs and restores original addresses, allowing an implant to execute undetected. The researcher plans to test against other vendors, such as Symantec IPS, in a future POC.
2023-06-01
research poc
EDRSandblast-GodFault: EDR kernel callback removal without vulnerable driverEDRSandblast-GodFault
Security researcher Gabriel Landau released EDRSandblast-GodFault, a proof-of-concept tool that removes kernel callbacks from EDR drivers like Microsoft Defender (WdFilter.sys) without using a vulnerable driver. It leverages the GodFault technique to gain kernel-level access and disable process, thread, and image load notifications, as well as ETW Threat Intelligence. This demonstrates a driverless method to blind EDR sensors.
2023-06-01
research poc
LightsOut Tool Generates Obfuscated DLL to Disable AMSI and ETWLightsOut
Security researcher icyguider released LightsOut, an open-source Python tool that generates an obfuscated DLL to disable AMSI and ETW in Windows processes. The tool uses techniques like WinAPI randomization, XOR string encoding, and sandbox checks to evade AV detection. It is intended for penetration testing to execute malicious PowerShell scripts without being blocked.
2023-06-01
research poc
New malware tool claims to terminate multiple EDR and antivirus agentsEDR-Terminator
A video and Reddit post surfaced on May 28, 2023, showing an executable that allegedly disables tamper protection and terminates the on-premise agents of numerous endpoint security products. The tool claims to work against vendors including CrowdStrike, SentinelOne, Carbon Black, and Windows Defender. ThreatLocker notes that its application allowlisting would block such an unknown executable from running.
2023-05-31
incident
Terminator tool uses BYOVD with Zemana driver to terminate security productsTerminator
A threat actor is selling a tool called Terminator that uses a Bring Your Own Vulnerable Driver (BYOVD) attack to terminate antivirus, EDR, and XDR processes. The tool drops a legitimate but vulnerable Zemana anti-malware driver (zamguard64.sys or zam64.sys) to gain kernel-level privileges and kill security software user-mode processes. CrowdStrike confirmed the technique is a BYOVD attack, not a novel bypass.
Every event on this page is a record in ColdRecon's canonical set, drawn from public reporting and linked to its source above. ColdRecon monitors open-source signal only; it publishes no non-public or customer information.

Microsoft ships. Your prospect reads the headline. Do you?

ColdRecon turns this signal into one short daily brief, written from the seller's seat — what changed, why it matters to your deals, how to position. Request clearance and the first lands tomorrow at 0600.

Request Clearance →