Breach and attack simulation firm SafeBreach has discovered eight new process injection techniques that leverage Windows thread pools to trigger malicious code execution as the result of legitimate actions.
Dubbed Pool Party, the injection variants work across all processes, without limitations, and are fully undetected by leading endpoint detection and response solutions, SafeBreach says.
Process injection, the cybersecurity firm explains, typically involves three primitives, for allocating memory on the target process, for writing malicious code to the allocated memory, and for executing the code.
Because EDR solutions base their detection capabilities on the execution primitive, SafeBreach researched the possibility of creating one based on allocation and writing primitives and triggering the execution by a legitimate action.
Eventually, the cybersecurity firm discovered that the Windows user-mode thread pool represents a viable area for process injection, given that all Windows processes have a thread pool by default.
Looking at the thread pool architecture, the firm identified four potential areas that could be abused for process injection, namely the worker factories, which are responsible for managing thread pool worker threads, three types of queues that are associated with three types of supported work items.
The first discovered process injection technique abuses the start routine of worker factories, while the other seven abuse the three queue types: one abuses the task queue, five abuse the I/O completion queue, while the eighth abuses the timer queue.
The research, the firm notes, proves that, although EDR solutions have evolved to detect known process injection techniques, novel methods that are undetectable can still be developed, potentially with devastating impact.
This Cyber News was published on www.securityweek.com. Publication date: Thu, 07 Dec 2023 14:14:10 +0000