: Instead of trying to fight the EDR hooks already present in the memory-loaded version of ntdll.dll , the malware opened the original ntdll.dll file directly from the C:\Windows\System32\ folder on the disk.
Elias flagged the technique as . He updated the team’s detection rules to look for processes accessing the ntdll.dll file on disk with Read permissions—a behavior rarely needed by legitimate software. UnhookingNtdll_disk.exe
Elias pulled the file into his sandbox. He watched as the malware performed a classic evasion maneuver: : Instead of trying to fight the EDR