Process Injection × Skyhigh Security Skyhigh Client Proxy

A publicly-reported instance of Process Injection bypassing Skyhigh Security Skyhigh Client Proxy, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Skyhigh Security Skyhigh Client Proxy

Technique

Process Injection

MITRE ATT&CK

T1055

Confidence

High

Severity

High

Status

poc

Disclosed

2024-10-29

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-10-29 · original source · via raw

Reported as

bypassing Skyhigh Client Proxy policy enforcement via named pipe injection

Mechanism

The exploit injects shellcode into SCPBypass.exe, which then writes a bypass command to the named pipe \\.\pipe\MCPTrayPipe0. The pipe has a NULL DACL (RW Everyone), but the service's WGUARDNT module checks the writer's executable path. Injection bypasses this check by using a legitimate process. The shellcode avoids LoadLibrary hooks by Trellix/McAfee.

Detection & mitigation

Monitor for suspicious process injections into SCPBypass.exe, especially those writing to \\.\pipe\MCPTrayPipe0. Enable logging of named pipe connections and process creation events. Apply vendor patches when available.

Process Injection has also been recorded against

Brave CrowdStrike Cybereason Google Microsoft Palo Alto Pearson Respondus SentinelOne STRANGETRINITY TN ROM (HyperTN/MIUITN)Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.