The Pool organization You Will Never Forget: fresh Process Injection Techniques utilizing Windows Thread Pools
Process injection is simply a method frequently utilized within malware to execute their malicious code in a mark process. This approach enables attackers to conceal their presence on the system, gain persistence, and execute actions that are not typically allowed by a regular process.
However, modern EDRs have improved over time, making it increasingly hard to execute an undetectable process injection.
Most process injection techniques trust on abusing legitimate features of the operating strategy that cannot be turned off by EDRs.
Therefore, EDR vendors have been tasked to make capabilities for differentiating between legitimate and malicious usage of these features. We were curious if EDRs generically detect all flows that lead to process injection. Our nonsubjective was to push the boundaries of detection and make a set of fresh and full undetectable process injection techniques.
In this talk, we will delve into the internals of the Windows user-mode thread pool, a component that seems to have been overlooked by safety researchers in the past. Our exploration begins with an introduction to the thread pool architecture, its work item queuing mechanism, and the execution process managed by the scheduler.
Moving forward, we will uncover how an attacker can take over the thread pool, being able to insert any kind of work item into any process on the system.
We will unveil the "PoolParty" tool, a collection of fresh and full undetectable process injection techniques that leverage the Windows user-mode thread pool.
Concluding our presentation, we will show how by utilizing "PoolParty" attacks we bypass additional detection mechanisms specified as ransomware and credential dumping detections.
More: https://confidence-conference.org/