CylanceENDPOINT Prevents Pool Party Process Injection
Threat actors have devised yet another way to leverage the Microsoft® Windows® operating system to undertake malicious actions under the guise of seemingly normal tasks — and evade many EDR (endpoint detection and response) solutions.
Recently, SafeBreach discovered eight new process injection techniques that can leverage Windows thread pools to trigger malicious code execution as the result of legitimate actions. Dubbed “Pool Party” by the firm, the injections work across all processes, without limitations, and remain undetected by many EDR solutions. In fact, SafeBreach’s testing determined that this methodology successfully evaded Palo Alto Cortex, SentinelOne EDR, CrowdStrike Falcon, Microsoft Defender for Endpoint, and Cybereason EDR. However, it found its match with CylanceENDPOINT™ from BlackBerry.
What is Process Injection?
Process injection is an evasion technique used to execute given code in a target process without being detected. Generally, this consists of a chain of three process types known as primitives:
- Allocation primitive: allocates memory on the target process
- Writing primitive: writes malicious code to the allocated memory
- Execution primitive: executes the malicious code
Typically, EDR solutions focus their detection capabilities on the execution primitive. Threat researchers tested whether creating an injection based on the allocation and writing primitives could avoid detection by EDR and then trigger execution with a legitimate action.
Through this testing, they determined that the Windows user-mode thread pool can be leveraged as an area for process injection, since all Windows processes have a thread pool by default, leveraging the allocation and writing primitives. With this foot in the door, threat actors can tune their approach to enter an environment undetected, blending in with the numerous other routine actions and processes that a system performs.
How Pool Party Outsmarts Many Leading EDR Solutions
By evaluating thread pool architecture, four potential target areas for malicious process injections were identified. The most prevalent of which are known as worker factories. These areas manage the thread pool worker threads, resulting in three types of queues, associated with three types of supported work items.
One process injection technique abuses the start routine of worker factories, while the other seven abuse the three queue types with the following distribution:
- One process injection abuses the task queue.
- Five abuse the input/output completion queue.
- One process injection abuses the timer queue.
SafeBreach researchers then tested each of the identified Pool Party variants against five leading EDR solutions, including Palo Alto Cortex, SentinelOne EDR, CrowdStrike Falcon, Microsoft Defender for Endpoint, and Cybereason EDR. SafeBreach reports that none of the EDRs were able to detect, let alone prevent, any Pool Party variant.
While Windows Kernel Pool vulnerabilities or bypasses have been leveraged since at least 2007 and 2008, it is important to note that process injection to bypass EDRs — or any systems protection — represents only one step in the kill chain. However, these developments indicate a gap between the speed at which new threats are being created and the ability for many cybersecurity solutions to prevent them. This gap highlights the critical need for modern, agile, AI-powered defense to rapidly analyze and block these novel threats.
BlackBerry Customers Protected From Pool Party With CylanceENDPOINT
Upon the discovery of Pool Party, BlackBerry’s threat research and product security teams worked quickly to understand the threat and determine whether CylanceENDPOINT protects against it. Analysis of the attack chain revealed attempts to allocate memory in a running process by calling VirtualAllocEx, which is monitored by the Remote Allocation of Memory violation, under Process Injection in the Memory Actions of CylanceENDPOINT. The BlackBerry team found that the CylanceENDPOINT solution's AI capabilities automatically flag the threat as unsafe.
This onboard AI/ML protection that Cylance pioneered helps ensure customers are protected from day one, rather than needing to wait for some complicated EDR rules to be pushed down from a cloud. In fact, an independent test from the Tolly Group — a leading independent test lab and respected provider of third-party validation services for the tech industry — showed that when compared to other leading endpoint protection vendors, the AI-enhanced CylanceENDPOINT solution from BlackBerry blocks up to 133% more malware, performs up to 13 times faster, and uses nearly 20 times less system resources.
Preventing cyberattacks is the reason most organizations invest in endpoint protection, and Tolly Group’s testing conclusively proves that CylanceENDPOINT is a strong and capable solution for stopping modern attacks like Pool Party, and it’s one that customers love to use.
For emergency assistance, please email us at DLIR@blackberry.com, or use the hand-raiser form.
For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.