Bypass Record

Process Injection × CrowdStrike Falcon

A publicly-reported instance of Process Injection bypassing CrowdStrike Falcon, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

CrowdStrike Falcon

Technique

Process Injection

MITRE ATT&CK

T1055

Confidence

High

Severity

High

Status

poc

Disclosed

2025-03-05

Config / version noted

Not stated

Provenance

finalfrontiersecurity.com
disclosed 2025-03-05 · original source · via exa

Reported as

Two EDR Evasion Techniques Tested Against CrowdStrike... demonstrated two techniques to evade CrowdStrike EDR

Mechanism

Technique 1: Pyramid loads shellcode into a Python process's memory, avoiding disk writes and exploiting Python's trusted reputation and lack of execution auditing. Technique 2: A Go binary invokes the built-in Windows ssh.exe to create a reverse dynamic proxy, tunneling tools like secretsdump through encrypted SSH traffic that mimics legitimate admin connections.

Detection & mitigation

Monitor for Python processes making anomalous memory allocations (e.g., VirtualAlloc with PAGE_EXECUTE_READWRITE) or spawning unexpected child processes. For the SSH tunnel, baseline legitimate ssh.exe usage and alert on unusual parent processes (e.g., a Go binary) or outbound SSH connections to non-enterprise IPs.

Process Injection has also been recorded against

Brave Cybereason Google Microsoft Palo Alto Pearson Respondus SentinelOne Skyhigh Security STRANGETRINITY TN ROM (HyperTN/MIUITN)Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.