The Pool Party You Will Never Forget: New Process Injection Techniques Using Windows Thread Pools

Process injection is a technique often used within malware to execute their malicious code in a target process. This approach enables attackers to conceal their presence on the system, gain persistence, and perform actions that are not typically allowed by a regular process. However, modern EDRs have improved over time, making it increasingly difficult to execute an undetectable process injection.

Most process injection techniques rely on abusing legitimate features of the operating system that cannot be turned off by EDRs. Therefore, EDR vendors have been tasked to develop capabilities for differentiating between legitimate and malicious use of these features. We were curious if EDRs generically detect all flows that lead to process injection. Our objective was to push the boundaries of detection and create a set of new and fully undetectable process injection techniques.

In this talk, we will delve into the internals of the Windows user-mode thread pool, a component that seems to have been overlooked by security researchers in the past. Our exploration begins with an introduction to the thread pool architecture, its work item queuing mechanism, and the execution process managed by the scheduler.

Moving forward, we will uncover how an attacker can take over the thread pool, being able to insert any type of work item into any process on the system.

We will unveil the "PoolParty" tool for the first time, a collection of new and fully undetectable process injection techniques that leverage the Windows user-mode thread pool.

Concluding our presentation, we will demonstrate how by utilizing "PoolParty" attacks we bypass additional detection mechanisms such as ransomware and credential dumping detections.

About the Presenter: Alon Leviev

Alon Leviev (@_0xDeku) is a 21-year-old self-taught security researcher with a diverse background. Alon started his professional career as a blue team operator, where he focused on the defensive side of cyber security. As his passion grew towards research, Alon joined SafeBreach as a security researcher. His main interests include operating system internals, reverse engineering, and vulnerability research. Alon spoke at Black Hat Europe 2023. Before joining the cyber security field, Alon was a professional Brazilian jiu-jitsu athlete, where he won several world and european titles.