Researchers from cybersecurity firm SafeBreach have introduced a new process injection technique named Pool Party, designed to bypass major EDR (Endpoint Detection and Response) solutions. Presented at Black Hat Europe 2023, the technique leverages less-explored Windows thread pools to create a novel attack vector for process injection. SafeBreach discovered eight previously unknown injection techniques that proved to be highly flexible, functioning across all processes without limitations, and fully undetectable when tested against five leading EDR solutions.
The process injection technique deployed by Pool Party involves a chain of three primitives: allocating memory on the target process, writing malicious code to the allocated memory, and executing the written malicious code. The researchers identified that EDR solutions primarily detect the injection process through the tracking of the execution primitive. By focusing on creating an execution primitive based on allocation and writing primitives, the experts explored the Windows user-mode thread pool as a potential avenue for triggering malware execution through a legitimate action. They found that worker factories, which oversee thread pool worker threads, could be abused for process injection.
One of the techniques uncovered by the researchers exploits the start routine of worker factories, while others utilize three queue types within the thread pool. The analysis revealed a 100% success rate in bypassing major EDR solutions, including Palo Alto Cortex, SentinelOne EDR, CrowdStrike Falcon, Microsoft Defender for Endpoint, and Cybereason EDR. The research emphasizes that while modern EDRs have evolved to detect known process injection techniques, the study demonstrates the ongoing potential for developing novel, undetectable methods. The conclusion underscores the need for proactive defense measures against sophisticated threat actors exploring innovative process injection methods.