This website uses cookies to ensure you get the best experience on our website.
Please note that by continuing to use this site you consent to the terms of our Privacy and Data Protection Policy .
Some of our partner services are located in the United States. According to the case law of the European Court of Justice, there is currently no adequate data protection in the USA. There is a risk that your data will be controlled and monitored by US authorities. You cannot bring any effective legal remedies against this.
Accept

Process Injection Certification Test

AV-Comparatives conducts targeted offensive security tests, offering vendors the opportunity to pursue certification in specific areas. In this test, our focus centered on “Shellcode Execution / Process Injection.” Certification reports are exclusively issued for vendors who successfully meet our rigorous criteria. Tested vendors received comprehensive technical data and detailed feedback to enhance their products’ resilience against potential attacks.

https://www.av-comparatives.org/news/process-injection-certification-test/

Process injection stands as one of the most prevalent techniques employed by attackers and red teams alike. Examining the Process Injection (T1055) Technique within the MITRE ATT&CK Framework reveals its versatility, encompassing numerous sub-techniques used across various contexts such as initial access, defense evasion, and privilege escalation.

Methodology

Our evaluation delves into assessing the prevention and detection capabilities of AV/EPP/EDR products concerning process injection and shellcode execution within the scope of initial access scenarios. We aim to gauge how effectively products respond to diverse C2 frameworks, shellcode variations, memory allocation methods, API calls, injection techniques, and target processes.

Key Variables

To facilitate the creation of evasive shellcode loaders or process injection proof-of-concepts (POCs), we manipulate several variables:

  • Execution/Injection Technique: Utilization of classic injection, early bird injection, and process hollowing techniques.
  • Format/File Type: Incorporation of different file types such as .exe, .dll, .bin, etc.
  • Frameworks/Shellcode: Utilization of diverse command-and-control frameworks including Metasploit, Empire, Covenant, and others.
  • Self-Injection/Remote Injection: Variation in executing shellcode locally within the same process or remotely in a separate process.
  • Processes: Variation of the process context for shellcode execution or injection.

It’s essential to note that the Process Injection Test scrutinizes a specific aspect of protection, unlike AV-Comparatives’ EPR Test, which assesses the entire attack chain. For this test, we utilize a fully patched and updated Windows 10 host. Testers log in as minimal users, operating within a medium integrity context, to execute shellcode execution/process injection scenarios.

This evaluation aims to provide insights into the efficacy of AV/EPP/EDR solutions in countering process injection techniques, thus bolstering the security posture of cybersecurity products.

Certified Products

AV-Comparatives’ Process Injection Evaluation serves as a rigorous assessment of cybersecurity products’ capabilities in countering process injection techniques, a prevalent tactic used by attackers. Only vendors that have successfully met our certification criteria have their reports published. Out of seven products tested, only three passed this very challenging evaluation successfully:

Non-certified vendors receive detailed feedback on areas for improvement based on the test results, as part of AV-Comparatives’ commitment to enhancing cybersecurity solutions collaboratively.