Brother
Professional
- Messages
- 2,590
- Reaction score
- 483
- Points
- 83
SafeBreach experts have developed a method for embedding code in process memory that uses Windows thread pools to hide its execution. Testing has shown that even the leaders of the EDR solutions market are not able to detect the Pool Party attack.
Injecting code into processes allows attackers to bypass antivirus programs: such infections do not leave traces in the system in the form of files that can be analyzed. In recent years, many OS and EDR vendors have strengthened their protection against such attacks by blocking known techniques or severely limiting the consequences.
To understand how disembodied malware can bypass EDR, researchers had to study the modern approach to detecting such threats by information security products of this class. As it turned out, they evaluate the execution primitive — only one elementary action out of three required for injection into the process (also allocating a block of memory and writing code there).
This discovery prompted experts to hide a fileless malware from EDR: create an execution primitive based only on allocate and write, and use a legitimate action as a shellcode trigger- for example, writing to a harmless file.
An excellent candidate for this trick was the user mode thread pool in Windows, or rather, four components: a worker role factory that manages worker threads, and three queues.
Based on the results of the study, eight different code injection techniques were created; one uses the role factory startup routine, another uses the task queue, five more use the I / O completion queue, and the eighth uses the timer queue. Since the thread pool is shared by Windows processes, the Pool Party method works on any of them.
Five EDR solutions were selected for testing:
* Palo Alto Cortex,
* SentinelOne EDR,
* CrowdStrike Falcon,
* Microsoft Defender for Endpoint,
* Cybereason EDR.
In all cases, the effectiveness of Pool Party (all eight variants) was 100%, that is, no protective product was able to detect or prevent the injection. Vendors have already been notified.
Injecting code into processes allows attackers to bypass antivirus programs: such infections do not leave traces in the system in the form of files that can be analyzed. In recent years, many OS and EDR vendors have strengthened their protection against such attacks by blocking known techniques or severely limiting the consequences.
To understand how disembodied malware can bypass EDR, researchers had to study the modern approach to detecting such threats by information security products of this class. As it turned out, they evaluate the execution primitive — only one elementary action out of three required for injection into the process (also allocating a block of memory and writing code there).
This discovery prompted experts to hide a fileless malware from EDR: create an execution primitive based only on allocate and write, and use a legitimate action as a shellcode trigger- for example, writing to a harmless file.
An excellent candidate for this trick was the user mode thread pool in Windows, or rather, four components: a worker role factory that manages worker threads, and three queues.
Based on the results of the study, eight different code injection techniques were created; one uses the role factory startup routine, another uses the task queue, five more use the I / O completion queue, and the eighth uses the timer queue. Since the thread pool is shared by Windows processes, the Pool Party method works on any of them.
Five EDR solutions were selected for testing:
* Palo Alto Cortex,
* SentinelOne EDR,
* CrowdStrike Falcon,
* Microsoft Defender for Endpoint,
* Cybereason EDR.
In all cases, the effectiveness of Pool Party (all eight variants) was 100%, that is, no protective product was able to detect or prevent the injection. Vendors have already been notified.
