Bypass Record

Process Injection × Microsoft Windows Defender

A publicly-reported instance of Process Injection bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

Process Injection

MITRE ATT&CK

T1055

Confidence

High

Severity

High

Status

poc

Disclosed

2025-06-25

Config / version noted

Not stated

Provenance

undercodetesting.com
disclosed 2025-06-25 · original source · via exa

Reported as

bypass Windows Defender for Metasploit Payloads

Mechanism

Combines process injection (remote mapping into trusted processes), AMSI patching to disable script scanning, delayed execution to evade sandbox timeouts, PPID spoofing to hide process ancestry, and adding Defender exclusions to bypass real-time scanning. Payloads are encrypted and executed in memory to avoid static detection.

Detection & mitigation

Monitor for suspicious process injections, such as remote thread creation or memory allocation in trusted processes (e.g., via Sysmon Event ID 8 or 10). Mitigate by enforcing application control, enabling memory integrity features, and restricting debug privileges.

Process Injection has also been recorded against

Brave CrowdStrike Cybereason Google Palo Alto Pearson Respondus SentinelOne Skyhigh Security STRANGETRINITY TN ROM (HyperTN/MIUITN)Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.