Alon Leviev: The Pool Party You Will Never Forget | CONFidence

The Pool Party You Will Never Forget: New Process Injection Techniques Using Windows Thread Pools

Process injection is a technique often used within malware to execute their malicious code in a target process. This approach enables attackers to conceal their presence on the system, gain persistence, and perform actions that are not typically allowed by a regular process.

However, modern EDRs have improved over time, making it increasingly difficult to execute an undetectable process injection.

Most process injection techniques rely on abusing legitimate features of the operating system that cannot be turned off by EDRs.

Therefore, EDR vendors have been tasked to develop capabilities for differentiating between legitimate and malicious use of these features. We were curious if EDRs generically detect all flows that lead to process injection. Our objective was to push the boundaries of detection and create a set of new and fully undetectable process injection techniques.

In this talk, we will delve into the internals of the Windows user-mode thread pool, a component that seems to have been overlooked by security researchers in the past. Our exploration begins with an introduction to the thread pool architecture, its work item queuing mechanism, and the execution process managed by the scheduler.

Moving forward, we will uncover how an attacker can take over the thread pool, being able to insert any type of work item into any process on the system.

We will unveil the "PoolParty" tool, a collection of new and fully undetectable process injection techniques that leverage the Windows user-mode thread pool.

Concluding our presentation, we will demonstrate how by utilizing "PoolParty" attacks we bypass additional detection mechanisms such as ransomware and credential dumping detections.

More: https://confidence-conference.org/