vuln disclosure
EDR Whitelist Bypass Allows Undetected Malicious Activity via PPID SpoofingSTRANGETRINITY EDR Whitelist Bypass via PPID Spoofing
Researchers discovered that a top-tier EDR product (anonymized as STRANGETRINITY) did not inject its hooking DLL into its own user-mode process, which ran without process protection. By using PPID spoofing to spawn a new instance of the EDR process and injecting shellcode via CreateRemoteThread, attackers could execute post-exploitation tools like Mimikatz without detection. The vendor confirmed this was unintended behavior and has since fixed the issue.