“Pool Party” process injection techniques evade EDRs

2023-12-12 10:56

SafeBreach researchers have discovered eight new process injection techniques that can be used to covertly execute malicious code on Windows systems.

Dubbed "Pool Party" because theyuse Windows thread pools, these process injection techniques work across all processes and, according to the researchers, they went undetected when tested against five leading EDR/XDR solutions, namely: Palo Alto Cortex, SentinelOne EDR, CrowdStrike Falcon, Microsoft Defender For Endpoint, and Cybereason EDR. "Pool Party" process injection techniques.

"Process injection usually consists of a chain of three primitives," SafeBreach researcher Alon Leviev explained: The allocation primitive allocates memory on the target process, the writing primitive writes malicious code to the allocated memory, and the execution primitive executes that code.

"EDRs allow the two first steps of injection - memory allocation and writing to remote process - and focus their detection on the final step: remote execution," says Tomer Bar, VP of Security Research at SafeBreach.

The problem, Bar told Help Net Security, is that EDRs base their detection on the identity of the process that performs the action.

"Researchers from SafeBreach reached out to CrowdStrike via our Bug Bounty program to share their findings with respect to process injection techniques. After engaging with the researcher to learn more about their findings, we updated the Falcon sensor to provide visibility and detection capabilities for this specific technique - this new sensor release was pushed live in October," a Crowdstrike spokesperson told Help Net Security.

News URL

https://www.helpnetsecurity.com/2023/12/12/pool-party-process-injection/

#EDR