Security News New ‘Pool Party’ Process Injection Techniques Undetected by EDR Solutions

upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Content source
https://www.securityweek.com/new-pool-party-process-injection-techniques-undetected-by-edr-solutions/
Breach and attack simulation firm SafeBreach has discovered eight new process injection techniques that leverage Windows thread pools to trigger malicious code execution as the result of legitimate actions. Dubbed Pool Party, the injection variants work across all processes, without limitations, and are fully undetected by leading endpoint detection and response (EDR) solutions, SafeBreach says.

Process injection, the cybersecurity firm explains, typically involves three primitives, for allocating memory on the target process, for writing malicious code to the allocated memory, and for executing the code. Because EDR solutions base their detection capabilities on the execution primitive, SafeBreach researched the possibility of creating one based on allocation and writing primitives and triggering the execution by a legitimate action. Eventually, the cybersecurity firm discovered that the Windows user-mode thread pool represents a viable area for process injection, given that all Windows processes have a thread pool by default.
Click to expand...
The firm then tested each of the identified Pool Party variants against five EDR solutions, namely Palo Alto Cortex, SentinelOne EDR, CrowdStrike Falcon, Microsoft Defender for Endpoint, and Cybereason EDR. “We achieved a 100 percent success rate, as none of the EDRs were able to detect or prevent Pool Party attacks. We reported these findings to each vendor and believe they are making updates to better detect these types of techniques,” SafeBreach says.
Click to expand...
www.securityweek.com

New 'Pool Party' Process Injection Techniques Undetected by EDR Solutions

Pool Party is a new set of eight Windows process injection techniques that evade endpoint detection and response solutions.
www.securityweek.com www.securityweek.com
 
  • Like
  • +Reputation
  • Thanks
Reactions: silversurfer, vtqhtr413, simmerskool and 6 others

Similar threads

vtqhtr413
    • Like
    • +Reputation
Mockingjay Process Injection Technique Could Let Malware Evade Detection
Replies
4
Views
1,151
News Archive
Sandbox Breaker
Sandbox Breaker
Gandalf_The_Grey
    • Like
    • Sad
    • +Reputation
Security News Disconnect Your D-Link NAS From the Internet Right Now
Replies
0
Views
1,102
Security News
Gandalf_The_Grey
Gandalf_The_Grey
upnorth
    • +Reputation
    • Like
'Blindside' Attack Subverts EDR Platforms From Windows Kernel
Replies
0
Views
621
News Archive
upnorth
upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top