“Pool Party” process injection techniques evade EDRs

SafeBreach researchers have discovered eight new process injection techniques that can be used to covertly execute malicious code on Windows systems.

Dubbed “Pool Party” because they (ab)use Windows thread pools, these process injection techniques work across all processes and, according to the researchers, they went undetected when tested against five leading EDR/XDR solutions, namely: Palo Alto Cortex, SentinelOne EDR, CrowdStrike Falcon, Microsoft Defender For Endpoint, and Cybereason EDR.

“Pool Party” process injection techniques

“Process injection usually consists of a chain of three primitives,” SafeBreach researcher Alon Leviev explained: The allocation primitive allocates memory on the target process, the writing primitive writes malicious code to the allocated memory, and the execution primitive executes that code.

Process injection (Source: SafeBreach)

“EDRs allow the two first steps of injection – memory allocation and writing to remote process – and focus their detection on the final step: remote execution,” says Tomer Bar, VP of Security Research at SafeBreach.

To stymie EDRs, Leviev and his colleagues found a way to create an execution primitive based on the other two primitives. (The technical write-up on the techniques is available here.)

The problem, Bar told Help Net Security, is that EDRs base their detection on the identity of the process that performs the action. “If it’s a trusted process it will allow the action, if not the action will be blocked,” he noted.

He also told us “PoolParty” attacks can bypass additional detection mechanisms such as ransomware and credential dumping detections.

“One example is Microsoft’s controlled folder access protection, which blocks any modification or deletion of files inside protected folders. But modification is allowed to certain processes such as explorer.exe, [and] once we inject ransom code into it, we are able to bypass the protection and encrypt all files inside protected folders,” he explained.

“Another example is dumping credentials from the LSASS process, which are blocked by all tested EDRs. But if we inject code into LSASS process, the injected code is allowed to dump the LSASS process (itself).”

New detections released (or soon to be released)

Leviev has shared the techniques with the audience at Black Hat Europe last week, and Safebreach has published proof-of-concept code that can be used for further research and development.

The researchers have contacted the EDR vendors against whose solutions they tested the “Pool Party” techniques and said that some of them have developed and released new detections.

We’ve asked the five companies for more information.

“Researchers from SafeBreach reached out to CrowdStrike via our Bug Bounty program to share their findings with respect to process injection techniques. After engaging with the researcher to learn more about their findings, we updated the Falcon sensor to provide visibility and detection capabilities for this specific technique – this new sensor release was pushed live in October,” a Crowdstrike spokesperson told Help Net Security.

“We have not seen the technique exercised in other customer environments, and we continue to monitor for related activity. We thank SafeBreach for their responsible disclosure and continue to work closely with them to ensure CrowdStrike customers are protected against the latest research.”

SentinelOne confirmed that their products effectively detect and, based on policy settings, terminate this threat on devices protected by their solutions.

“Microsoft does not have anything to add at this time,” the Redmond giant’s spokesperson commented.