Process Injection Certification Test
AV-Comparatives conducts targeted offensive security tests, offering vendors the opportunity to pursue certification in specific areas. In this test, our focus centered on “Shellcode Execution / Process Injection.” Certification reports are exclusively issued for vendors who successfully meet our rigorous criteria. Tested vendors received comprehensive technical data and detailed feedback to enhance their products’ resilience against potential attacks.
https://www.av-comparatives.org/news/process-injection-certification-test/
Process injection stands as one of the most prevalent techniques employed by attackers and red teams alike. Examining the Process Injection (T1055) Technique within the MITRE ATT&CK Framework reveals its versatility, encompassing numerous sub-techniques used across various contexts such as initial access, defense evasion, and privilege escalation.
Methodology
Our evaluation delves into assessing the prevention and detection capabilities of AV/EPP/EDR products concerning process injection and shellcode execution within the scope of initial access scenarios. We aim to gauge how effectively products respond to diverse C2 frameworks, shellcode variations, memory allocation methods, API calls, injection techniques, and target processes.
Key Variables
To facilitate the creation of evasive shellcode loaders or process injection proof-of-concepts (POCs), we manipulate several variables:
- Execution/Injection Technique: Utilization of classic injection, early bird injection, and process hollowing techniques.
- Format/File Type: Incorporation of different file types such as .exe, .dll, .bin, etc.
- Frameworks/Shellcode: Utilization of diverse command-and-control frameworks including Metasploit, Empire, Covenant, and others.
- Self-Injection/Remote Injection: Variation in executing shellcode locally within the same process or remotely in a separate process.
- Processes: Variation of the process context for shellcode execution or injection.
It’s essential to note that the Process Injection Test scrutinizes a specific aspect of protection, unlike AV-Comparatives’ EPR Test, which assesses the entire attack chain. For this test, we utilize a fully patched and updated Windows 10 host. Testers log in as minimal users, operating within a medium integrity context, to execute shellcode execution/process injection scenarios.
This evaluation aims to provide insights into the efficacy of AV/EPP/EDR solutions in countering process injection techniques, thus bolstering the security posture of cybersecurity products.
Certified Products
AV-Comparatives’ Process Injection Evaluation serves as a rigorous assessment of cybersecurity products’ capabilities in countering process injection techniques, a prevalent tactic used by attackers. Only vendors that have successfully met our certification criteria have their reports published. Out of seven products tested, only three passed this very challenging evaluation successfully:
- Bitdefender GravityZone Business Security Enterprise
- ESET PROTECT Enterprise Cloud
- Kaspersky Endpoint Security for Business
Non-certified vendors receive detailed feedback on areas for improvement based on the test results, as part of AV-Comparatives’ commitment to enhancing cybersecurity solutions collaboratively.