Bypass Record

Process Injection × Microsoft Defender for Endpoint

A publicly-reported instance of Process Injection bypassing Microsoft Defender for Endpoint, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender for Endpoint

Technique

Process Injection

MITRE ATT&CK

T1055

Confidence

Medium

Severity

High

Status

poc

Disclosed

2023-08-21

Config / version noted

Not stated

Provenance

github.com
disclosed 2023-08-21 · original source · via exa
github.com
disclosed 2023-08-21 · original source · via exa

Reported as

tested against Microsoft Defender for Endpoint with Cobalt Strike

Mechanism

Process hollowing: creates a legitimate process in a suspended state, replaces its memory with encrypted shellcode (3DES), then resumes execution. Includes sandbox evasion, analysis evasion, and execution delay to avoid detection.

Detection & mitigation

Monitor for process creation in a suspended state (e.g., CREATE_SUSPENDED flag) followed by memory allocation and write operations (e.g., VirtualAllocEx, WriteProcessMemory) and subsequent thread resumption, especially from non-standard or newly written binaries. Mitigate by enforcing application control, enabling memory integrity features, and using EDR solutions that inspect process hollowing behavior.

Process Injection has also been recorded against

Brave CrowdStrike Cybereason Google Palo Alto Pearson Respondus SentinelOne Skyhigh Security STRANGETRINITY TN ROM (HyperTN/MIUITN)Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.