During Black Hat Europe, SafeBreach Labs researcher Alon Leviev is speaking on his newest discovery of a brand new set of highly flexible process injection techniques that are able to completely bypass leading endpoint detection and response (EDR) solutions, using Windows thread pools.
If executed to completion, the impacts of process injection can be devastating. An attacker can use process injection to execute code on behalf of legitimate processes, allowing the attacker to perform actions they may not be able to typically do. The SafeBreach labs team explored the viability of using Windows thread pools—an under-analyzed area of the Microsoft Windows OS—as a novel attack vector for process injection and discovered 8 new process injection techniques—dubbed Pool Party variants—that were able to trigger malicious execution as a result of a completely legitimate action and were proven to be fully undetectable when tested against five leading EDR solutions.
You can read the discover here.
Like this:
Like Loading...
Related
This entry was posted on December 6, 2023 at 9:02 am and is filed under Commentary with tags SaveBreach. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Novel Process Injection Technique Using Windows Thread Pools Bypasses Leading EDR Solutions
During Black Hat Europe, SafeBreach Labs researcher Alon Leviev is speaking on his newest discovery of a brand new set of highly flexible process injection techniques that are able to completely bypass leading endpoint detection and response (EDR) solutions, using Windows thread pools.
If executed to completion, the impacts of process injection can be devastating. An attacker can use process injection to execute code on behalf of legitimate processes, allowing the attacker to perform actions they may not be able to typically do. The SafeBreach labs team explored the viability of using Windows thread pools—an under-analyzed area of the Microsoft Windows OS—as a novel attack vector for process injection and discovered 8 new process injection techniques—dubbed Pool Party variants—that were able to trigger malicious execution as a result of a completely legitimate action and were proven to be fully undetectable when tested against five leading EDR solutions.
You can read the discover here.
Share this:
Like this:
Related
This entry was posted on December 6, 2023 at 9:02 am and is filed under Commentary with tags SaveBreach. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.