Bypass Record

Process Injection × Microsoft Windows Defender Antivirus

A publicly-reported instance of Process Injection bypassing Microsoft Windows Defender Antivirus, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender Antivirus

Technique

Process Injection

MITRE ATT&CK

T1055

Confidence

High

Severity

High

Status

poc

Disclosed

2023-11-16

Config / version noted

Not stated

Provenance

chayanin-mews.medium.com
disclosed 2023-11-16 · original source · via raw

Reported as

Windows Defender failed to detect the final payload or its activity.

Mechanism

A C++ LSASS dumper uses MiniDumpWriteDump and XOR-encrypts the dump before writing to disk. Donut converts the executable into shellcode with AMSI/WLDP/ETW bypass and aPLib compression. A Go injector spawns notepad.exe, injects the shellcode, and terminates itself. The injected notepad.exe loads amsi.dll, dbghelp.dll, and dbgcore.dll to perform the dump undetected.

Detection & mitigation

Monitor for process injection events (Sysmon Event ID 10) where a process accesses LSASS or spawns a child process that loads unusual DLLs like amsi.dll, dbghelp.dll, and dbgcore.dll. Detect anomalous process creation chains (e.g., a non-standard parent spawning notepad.exe) and suspicious image loads (Sysmon Event ID 7) of debugging DLLs in processes that normally don't use them. Use endpoint detection to flag XOR-encrypted LSASS dump files written to disk.

Process Injection has also been recorded against

Brave CrowdStrike Cybereason Google Palo Alto Pearson Respondus SentinelOne Skyhigh Security STRANGETRINITY TN ROM (HyperTN/MIUITN)Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.