A new collection of eight process injection methods, collectively called PoolPartycan be exploited to achieve code execution on Windows systems while avoiding endpoint detection and response (EDR) systems.
SafeBreach researcher Alon Leviev SAYS the methods “are able to work with all processes without limitations, which makes them more flexible than the methods of process injection.”
Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.
The injection process refers to a prevention technique used to run arbitrary code in a target process. There are a wide range of process injection methods, such as dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelgänging.
PoolParty is named so because it is rooted in a component called the Windows user-mode thread pool, which it uses to insert any type of work object into a target system process.
It works by targeting worker factories – which refers to Windows objects responsible for managing thread pool worker threads – and overwriting the start routine with malicious shellcode for subsequent execution of worker threads.
“Besides queues, the worker factory that acts as a manager of worker threads can be used to take over worker threads,” Leviev said.
SafeBreach says it has developed seven other methods of process injection using the task queue (regular work items), the I/O completion queue (asynchronous work items), and the timer queue (timer work items). based on supported work items.
PoolParty has been found to achieve a 100% success rate against popular EDR solutions, including those from CrowdStrike, Cybereason, Microsoft, Palo Alto Networks, and SentinelOne.
The disclosure comes nearly six months after Security Joes disclosed another process injection technique called Mockingjay that threat actors can exploit to bypass security solutions to execute malicious code on compromised users. that system.
“Although modern EDRs have evolved to detect known injection methods in the process, our research has proven that it is still possible to develop new techniques that go unnoticed and have potentially creating a devastating effect,” Leviev concluded.
“Sophisticated threat actors will continue to explore new and innovative methods for the injection process, and security tool vendors and practitioners must be proactive in their defense against them.”