Masquerading Windows processes like a DoubleAgent.

This blog-style technical report demonstrates a weaponised proof-of-concept of the 2017 “DoubleAgent” Application Verifier technique (MITRE T1183) to persistently inject DLLs into Windows processes — including antivirus and system services — and use that code to dump LSASS memory for credential theft. The author tests the approach against modern AVs (Windows Defender, Cylance, McAfee), shows that static/dynamic detection was often bypassed, and recommends monitoring registry writes under Image File Execution Options with Sysmon as a detection/mitigation step.