Tamper-Protection Bypass × STRANGETRINITY EDR Agent

A publicly-reported instance of Tamper-Protection Bypass bypassing STRANGETRINITY EDR Agent, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

STRANGETRINITY EDR Agent

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2023-09-13

Config / version noted

Not stated

Provenance

riccardoancarani.github.io
disclosed 2023-09-14 · original source · via exa
her0ness.github.io
disclosed 2023-09-13 · original source · via exa
her0ness.github.io
disclosed 2023-09-13 · original source · via raw

Reported as

intercepted and tampered with the TLS-encrypted communication between the agent and its cloud tenant, bypassing anti-tampering protections

Mechanism

With administrative access, researchers leveraged a COM interface (COMTRINITY_A/B) to extract EDR configuration, then intercepted and tampered with the TLS-encrypted communication between the agent and its cloud tenant, bypassing anti-tampering protections.

Detection & mitigation

Monitor for unexpected access to EDR-specific COM interfaces (e.g., COMTRINITY_A/B) by non-system processes, especially those invoking methods that read configuration. Enforce application control to block unauthorized COM usage and ensure EDR tamper protection is enabled and alerts on any configuration extraction attempts.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)Byfron CrowdStrike DANA Elastic FireEye Kemco LoGiC.NET McAfee

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.