A new collection of process injection techniques called PoolParty has been discovered by SafeBreach researcher Alon Leviev [2] [4]. These techniques enable code execution in Windows systems while evading endpoint detection and response (EDR) systems [1] [2] [3] [4].
Description
PoolParty is a set of process injection techniques that offer more flexibility than existing methods. It can be used across all processes and leverages the Windows user-mode thread pool to insert malicious code into a target process [1] [2] [3]. By targeting worker factories and overwriting the start routine with shellcode [1] [2], PoolParty allows for code execution while evading EDR systems.
Alon Leviev presented these findings at the Black Hat Europe 2023 conference [1] [2] [3], highlighting the importance of proactive defense against these novel and undetectable process injection techniques [1]. Notably, PoolParty has successfully bypassed popular EDR solutions from companies such as CrowdStrike [1], Cybereason [1] [2] [3], Microsoft [1] [2] [3], Palo Alto Networks [1] [2] [3], and SentinelOne [1] [2] [3].
Conclusion
The discovery of PoolParty and its ability to evade EDR systems raises concerns about the effectiveness of current security measures. It is crucial for organizations to implement proactive defense strategies to mitigate the risks posed by these advanced process injection techniques. The success of PoolParty in bypassing popular EDR solutions highlights the need for continuous research and development of more robust security solutions to counter evolving threats.
References
[1] https://flyytech.com/2023/12/11/new-poolparty-process-injection-techniques-outsmart-top-edr-solutions/
[2] https://thehackernews.com/2023/12/new-poolparty-process-injection.html
[3] https://ciso2ciso.com/new-poolparty-process-injection-techniques-outsmart-top-edr-solutions-sourcethehackernews-com/
[4] https://www.guardianmssp.com/2023/12/11/new-poolparty-process-injection-techniques-outsmart-top-edr-solutions/
