Bypass Record

Process Injection × SentinelOne EDR

A publicly-reported instance of Process Injection bypassing SentinelOne EDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

SentinelOne EDR

Technique

Process Injection

MITRE ATT&CK

T1055

Confidence

High

Severity

Critical

Status

poc

Disclosed

2023-12-08

Config / version noted

Not stated

Provenance

securityaffairs.com
disclosed 2023-12-08 · original source · via exa
www.helpnetsecurity.com
disclosed 2023-12-12 · original source · via raw
securityboulevard.com
disclosed 2023-12-06 · original source · via raw

Reported as

achieving 100% bypass against five leading EDR products

Mechanism

Abuses Windows user-mode thread pools and worker factories to trigger malicious execution via legitimate operations. Uses allocation and writing primitives to craft an execution primitive that evades EDR detection, which typically tracks execution primitives. Techniques exploit start routine of worker factories and three queue types (including I/O completion queue) to achieve process injection without detection.

Detection & mitigation

Monitor for suspicious use of Windows thread pool APIs (e.g., CreateThreadpoolWork, SubmitThreadpoolWork) and worker factory creation, especially when targeting sensitive processes. Deploy memory scanning and behavioral analysis to detect anomalous code execution patterns, and ensure EDR signatures are updated to cover these novel injection primitives.

Process Injection has also been recorded against

Brave CrowdStrike Cybereason Google Microsoft Palo Alto Pearson Respondus Skyhigh Security STRANGETRINITY TN ROM (HyperTN/MIUITN)Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.