Process Injection × STRANGETRINITY EDR

A publicly-reported instance of Process Injection bypassing STRANGETRINITY EDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

STRANGETRINITY EDR

Technique

Process Injection

MITRE ATT&CK

T1055

Confidence

High

Severity

Critical

Status

patched

Disclosed

2023-08-03

Config / version noted

Not stated

Provenance

riccardoancarani.github.io
disclosed 2023-08-03 · original source · via exa
her0ness.github.io
disclosed 2023-08-02 · original source · via raw

Reported as

STRANGETRINITY did not inject its hooking DLL into its own user-mode process, which ran without process protection

Mechanism

The EDR's own user-mode process (STRANGETRINITY.exe) was not injected with the hooking DLL and lacked process protection, making it a whitelisted process. Attackers used PPID spoofing to create a child process under this whitelisted process, then performed a simple CreateRemoteThread injection to run arbitrary shellcode. Because the process was whitelisted, the EDR did not inspect or block subsequent malicious actions (e.g., Mimikatz) originating from it.

Detection & mitigation

Monitor for suspicious process creation where the parent process ID (PPID) is an EDR component, especially if the child process exhibits anomalous behavior like loading unsigned DLLs or making unusual API calls. Mitigation includes enabling process protection for EDR processes and applying vendor patches to ensure self-injection and integrity checks.

Process Injection has also been recorded against

Brave CrowdStrike Cybereason Google Microsoft Palo Alto Pearson Respondus SentinelOne Skyhigh Security TN ROM (HyperTN/MIUITN)Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.