Tamper-Protection Bypass × STRANGETRINITY EDR

A publicly-reported instance of Tamper-Protection Bypass bypassing STRANGETRINITY EDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

STRANGETRINITY EDR

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

poc

Disclosed

2023-11-06

Config / version noted

Not stated

Provenance

riccardoancarani.github.io
disclosed 2023-11-07 · original source · via exa
her0ness.github.io
disclosed 2023-11-06 · original source · via exa

Reported as

Researchers leveraged a signed EDR binary (a new LOLBin) to invoke this command, bypassing the signature check and disabling the EDR.

Mechanism

The EDR's update process temporarily lifts self-protection to apply updates. The command 'StrangeTrinity.exe unshield_from_authorized_process' disables shields if the parent process is signed by the vendor. Researchers leveraged a signed EDR binary (a new LOLBin) to invoke this command, bypassing the signature check and disabling the EDR.

Detection & mitigation

Monitor for execution of the EDR's own signed binaries with unusual command-line arguments (e.g., 'unshield_from_authorized_process') or parent-child process relationships where a signed EDR binary spawns another EDR component in a non-standard way. Mitigation: ensure update mechanisms require multi-factor integrity checks and restrict self-protection disable commands to strictly controlled, monitored update workflows.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)Byfron CrowdStrike DANA Elastic FireEye Kemco LoGiC.NET McAfee

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.