Bypass Record

Process Injection × Respondus LockDown Browser

A publicly-reported instance of Process Injection bypassing Respondus LockDown Browser, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Respondus LockDown Browser

Technique

Process Injection

MITRE ATT&CK

T1055

Confidence

High

Severity

High

Status

poc

Disclosed

2025-07-24

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-07-24 · original source · via exa

Reported as

bypasses switch window detection, forces focus, prevents closure of blacklisted apps, and clears clipboard restrictions

Mechanism

A C++ DLL hooks into the LockDown Browser process to intercept and disable its security functions: bypasses switch window detection, forces focus, prevents closure of blacklisted apps, and clears clipboard restrictions. A Python injector waits for the target process and injects the DLL, with hotkeys to activate/deactivate hooks.

Detection & mitigation

Monitor for suspicious process injection events, such as CreateRemoteThread or SetWindowsHookEx calls targeting the LockDown Browser process, using EDR telemetry or Sysmon Event ID 8. Mitigate by enforcing application whitelisting and blocking unsigned DLLs from loading into protected processes.

Process Injection has also been recorded against

Brave CrowdStrike Cybereason Google Microsoft Palo Alto Pearson SentinelOne Skyhigh Security STRANGETRINITY TN ROM (HyperTN/MIUITN)Trellix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.