New PoolParty Process Injection Techniques Outsmart Top EDR Solutions

December 11, 2023NewsroomEndpoint Security / Malware

PoolParty Process Injection

A new collection of eight process injection methods, collectively called PoolPartycan be exploited to achieve code execution on Windows systems while avoiding endpoint detection and response (EDR) systems.

SafeBreach researcher Alon Leviev SAYS the methods “are able to work with all processes without limitations, which makes them more flexible than the methods of process injection.”

the findings first presented by Black Hat Europe 2023 conference last week.


Cracking the Code: Learn How Cyber ​​Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join now

The injection process refers to a prevention technique used to run arbitrary code in a target process. There are a wide range of process injection methods, such as dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelgänging.

PoolParty is named so because it is rooted in a component called the Windows user-mode thread pool, which it uses to insert any type of work object into a target system process.

It works by targeting worker factories – which refers to Windows objects responsible for managing thread pool worker threads – and overwriting the start routine with malicious shellcode for subsequent execution of worker threads.

Process Injection Methods

“Besides queues, the worker factory that acts as a manager of worker threads can be used to take over worker threads,” Leviev said.

SafeBreach says it has developed seven other methods of process injection using the task queue (regular work items), the I/O completion queue (asynchronous work items), and the timer queue (timer work items). based on supported work items.

PoolParty has been found to achieve a 100% success rate against popular EDR solutions, including those from CrowdStrike, Cybereason, Microsoft, Palo Alto Networks, and SentinelOne.


The disclosure comes nearly six months after Security Joes disclosed another process injection technique called Mockingjay that threat actors can exploit to bypass security solutions to execute malicious code on compromised users. that system.

“Although modern EDRs have evolved to detect known injection methods in the process, our research has proven that it is still possible to develop new techniques that go unnoticed and have potentially creating a devastating effect,” Leviev concluded.

“Sophisticated threat actors will continue to explore new and innovative methods for the injection process, and security tool vendors and practitioners must be proactive in their defense against them.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment