Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

New ‘Pool Party’ Process Injection Techniques Undetected by EDR Solutions

Pool Party is a new set of eight Windows process injection techniques that evade endpoint detection and response solutions.

Breach and attack simulation firm SafeBreach has discovered eight new process injection techniques that leverage Windows thread pools to trigger malicious code execution as the result of legitimate actions.

Dubbed Pool Party, the injection variants work across all processes, without limitations, and are fully undetected by leading endpoint detection and response (EDR) solutions, SafeBreach says.

Process injection, the cybersecurity firm explains, typically involves three primitives, for allocating memory on the target process, for writing malicious code to the allocated memory, and for executing the code.

Because EDR solutions base their detection capabilities on the execution primitive, SafeBreach researched the possibility of creating one based on allocation and writing primitives and triggering the execution by a legitimate action.

Eventually, the cybersecurity firm discovered that the Windows user-mode thread pool represents a viable area for process injection, given that all Windows processes have a thread pool by default.

Looking at the thread pool architecture, the firm identified four potential areas that could be abused for process injection, namely the worker factories, which are responsible for managing thread pool worker threads, three types of queues that are associated with three types of supported work items.

The first discovered process injection technique abuses the start routine of worker factories, while the other seven abuse the three queue types: one abuses the task queue, five abuse the I/O completion queue, while the eighth abuses the timer queue.

The firm then tested each of the identified Pool Party variants against five EDR solutions, namely Palo Alto Cortex, SentinelOne EDR, CrowdStrike Falcon, Microsoft Defender for Endpoint, and Cybereason EDR.

Advertisement. Scroll to continue reading.

“We achieved a 100 percent success rate, as none of the EDRs were able to detect or prevent Pool Party attacks. We reported these findings to each vendor and believe they are making updates to better detect these types of techniques,” SafeBreach says.

The research, the firm notes, proves that, although EDR solutions have evolved to detect known process injection techniques, novel methods that are undetectable can still be developed, potentially with devastating impact.

“Sophisticated threat actors will continue to explore new and innovative methods for process injection, and security tool vendors and practitioners must be proactive in their defense against them,” SafeBreach concludes.

Related: Stealth Techniques Used in ‘Operation Triangulation’ iOS Attack Dissected

Related: Think Like a Criminal: Knowing Popular Attack Techniques to Stop Bad Actors Faster

Related: New Windows Process Injection Can Be Useful for Stealthy Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Endpoint Security

Several major companies have published advisories in response to the Downfall vulnerability affecting Intel CPUs.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Endpoint Security

The Zero Day Dilemma

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...