Bypass Record

Process Injection × Pearson LockDown Browser

A publicly-reported instance of Process Injection bypassing Pearson LockDown Browser, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Pearson LockDown Browser

Technique

Process Injection

MITRE ATT&CK

T1055

Confidence

High

Severity

High

Status

poc

Disclosed

2024-06-18

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-06-18 · original source · via exa

Reported as

DLL injection and API hooking to bypass virtual machine detection and reporting in Pearson LockDown Browser

Mechanism

DLL injection into the Pearson executable at launch, hooking GetProcAddress to block VM and hook detection, hooking report_post to suppress reporting, and hooking HidCheckVM to bypass VM checks.

Detection & mitigation

Monitor for suspicious DLL loads or process injections into LockDownBrowser.exe using EDR telemetry or Sysmon Event ID 7 (Image Loaded) and Event ID 8 (CreateRemoteThread). Mitigate by enforcing application whitelisting and integrity checks to prevent unauthorized DLL injection.

Process Injection has also been recorded against

Brave CrowdStrike Cybereason Google Microsoft Palo Alto Respondus SentinelOne Skyhigh Security STRANGETRINITY TN ROM (HyperTN/MIUITN)Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.