Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
The vulnerability occurs even before the activation of key security elements.
Researchers at Outflank have introduced a new code injection method called Early Cascade Injection, which bypasses modern threat detection (EDR) systems. This technique takes advantage of the Windows application creation process and minimizes the risk of detection, effectively competing with popular methods such as Early Bird APC Injection.
Early Cascade Injection is based on interfering with the creation of processes at the user-mode level. The method combines the advantages of Early Bird APC Injection and the newly developed EDR-Preloading. Unlike earlier methods, the new approach eliminates the need to use an inter-process call to asynchronous procedures (APCs), which reduces the likelihood of detection.
Early Cascade Injection uses undocumented pointers inside the «ntdll.dll" library to execute the code. An example of such a pointer is the "g_pfnSE_DllLoaded" that is used before key libraries such as «kernel32.dll and «kernelbase.dll" are initialized. This allows you to gain control of the process in the early stages.
After injecting the initial code snippet via "g_pfnSE_DllLoaded", the system uses the NtQueueApcThread call to add the main useful code to the APC queue. This code runs at the end of the process initialization, when the system clears the APC queue through the NtTestAlert function.
Unlike the traditional Early Bird APC Injection, the new method eliminates suspicious inter-process interactions, making it less visible to EDR. Also, Early Cascade Injection does not require modification of system permissions to modify memory, since the necessary sections (".mrdata" and ".data") remain writable in the suspended state of the process.
The Early Cascade Injection technique is able to effectively bypass detection systems because it allows code to be injected before the EDR has time to activate the defense mechanisms. For example, when loading the first DLL modules, EDR often inserts its hooks to track activity. The new method intervenes just at this stage, which can disrupt the launch of such protective modules.
The implementation of Early Cascade Injection demonstrates how innovative approaches continue to find vulnerabilities in security. As a result, the researchers showed that it is possible to bypass even advanced EDR solutions, minimizing the risk of detection. At the same time, the use of such methods causes additional risks, since their effectiveness depends on the features of a particular version of Windows and possible updates.
Source
Researchers at Outflank have introduced a new code injection method called Early Cascade Injection, which bypasses modern threat detection (EDR) systems. This technique takes advantage of the Windows application creation process and minimizes the risk of detection, effectively competing with popular methods such as Early Bird APC Injection.
Early Cascade Injection is based on interfering with the creation of processes at the user-mode level. The method combines the advantages of Early Bird APC Injection and the newly developed EDR-Preloading. Unlike earlier methods, the new approach eliminates the need to use an inter-process call to asynchronous procedures (APCs), which reduces the likelihood of detection.
Early Cascade Injection uses undocumented pointers inside the «ntdll.dll" library to execute the code. An example of such a pointer is the "g_pfnSE_DllLoaded" that is used before key libraries such as «kernel32.dll and «kernelbase.dll" are initialized. This allows you to gain control of the process in the early stages.
After injecting the initial code snippet via "g_pfnSE_DllLoaded", the system uses the NtQueueApcThread call to add the main useful code to the APC queue. This code runs at the end of the process initialization, when the system clears the APC queue through the NtTestAlert function.
Unlike the traditional Early Bird APC Injection, the new method eliminates suspicious inter-process interactions, making it less visible to EDR. Also, Early Cascade Injection does not require modification of system permissions to modify memory, since the necessary sections (".mrdata" and ".data") remain writable in the suspended state of the process.
The Early Cascade Injection technique is able to effectively bypass detection systems because it allows code to be injected before the EDR has time to activate the defense mechanisms. For example, when loading the first DLL modules, EDR often inserts its hooks to track activity. The new method intervenes just at this stage, which can disrupt the launch of such protective modules.
The implementation of Early Cascade Injection demonstrates how innovative approaches continue to find vulnerabilities in security. As a result, the researchers showed that it is possible to bypass even advanced EDR solutions, minimizing the risk of detection. At the same time, the use of such methods causes additional risks, since their effectiveness depends on the features of a particular version of Windows and possible updates.
Source
