Bypass Record

Process Injection × Microsoft Defender Antivirus

A publicly-reported instance of Process Injection bypassing Microsoft Defender Antivirus, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender Antivirus

Technique

Process Injection

MITRE ATT&CK

T1055

Confidence

Medium

Severity

Medium

Status

poc

Disclosed

2023-10-28

Config / version noted

Not stated

Provenance

github.com
disclosed 2023-10-28 · original source · via exa

Reported as

A proof-of-concept tool demonstrates antivirus bypass... tested against Microsoft Defender and may evade some EDRs.

Mechanism

Shellcode is XOR-encrypted and stored as a resource in the executable. At runtime, the executable checks if its path contains its own name (sandbox evasion), then decrypts and injects the shellcode using an unconventional method, avoiding signature-based detection.

Detection & mitigation

Monitor for suspicious process injection events (e.g., Event ID 8 from Sysmon) where a process allocates memory in another process with RWX permissions and writes shellcode, especially if the source process loads encrypted resources. Mitigate by enforcing application control and blocking execution from user-writable paths.

Process Injection has also been recorded against

Brave CrowdStrike Cybereason Google Palo Alto Pearson Respondus SentinelOne Skyhigh Security STRANGETRINITY TN ROM (HyperTN/MIUITN)Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.