Bypass Record

Process Injection × Trellix ePO

A publicly-reported instance of Process Injection bypassing Trellix ePO, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Trellix ePO

Technique

Process Injection

MITRE ATT&CK

T1055

Confidence

Medium

Severity

High

Status

poc

Disclosed

2024-10-29

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-10-29 · original source · via raw

Reported as

shellcode avoids LoadLibrary hooks by Trellix/McAfee

Mechanism

The exploit injects shellcode into SCPBypass.exe, which then writes a bypass command to the named pipe \\.\pipe\MCPTrayPipe0. The pipe has a NULL DACL (RW Everyone), but the service's WGUARDNT module checks the writer's executable path. Injection bypasses this check by using a legitimate process. The shellcode avoids LoadLibrary hooks by Trellix/McAfee.

Detection & mitigation

Monitor for suspicious process injections into SCPBypass.exe, especially those writing to \\.\pipe\MCPTrayPipe0. Enable logging of named pipe connections and process creation events. Apply vendor patches when available.

Process Injection has also been recorded against

Brave CrowdStrike Cybereason Google Microsoft Palo Alto Pearson Respondus SentinelOne Skyhigh Security STRANGETRINITY TN ROM (HyperTN/MIUITN)

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.