Tamper-Protection Bypass × Byfron anti-tampering

A publicly-reported instance of Tamper-Protection Bypass bypassing Byfron anti-tampering, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Byfron anti-tampering

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-06-09

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-06-09 · original source · via exa

Reported as

PlagueSuspender suspends threads responsible for process scanning, allowing debuggers to attach without crashing the protected application

Mechanism

PlagueSuspender identifies and suspends threads that perform process scans, preventing detection of attached debuggers or analysis tools. This defeats Byfron's process protection by disabling its monitoring threads.

Detection & mitigation

Monitor for suspicious thread suspension targeting security-critical processes using ETW or kernel callbacks; deploy anti-tampering that verifies thread integrity and use protected process light (PPL) to harden security services.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)CrowdStrike DANA Elastic FireEye Kemco LoGiC.NET McAfee Microsoft

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.