Dec 13 2023

HOW TO BYPASS EDRS, AV WITH EASE USING 8 NEW PROCESS INJECTION ATTACKS

Category: Malwaredisc7 @ 7:38 am

In the ever-evolving landscape of cybersecurity, researchers are continually uncovering new methods that challenge existing defense mechanisms. A recent study by SafeBreach, a leader in cybersecurity research, has brought to light a novel process injection technique that exploits Windows thread pools, revealing vulnerabilities in current Endpoint Detection and Response (EDR) solutions. This groundbreaking research not only demonstrates the sophistication of potential cyber threats but also underscores the need for advanced defensive strategies in the digital world. Thread pool exploitation is challenging for EDRs to detect because it uses legitimate system mechanisms for malicious purposes. EDRs often look for known patterns of malicious activity, but when malware hijacks legitimate processes or injects code via expected system behaviors, such as those involving thread pools, it can blend in without raising alarms. Essentially, these techniques don’t leave the typical traces that EDRs are programmed to identify, allowing them to operate under the radar.

UNDERSTANDING PROCESS INJECTION:

Process injection is a technique often used by cyber attackers to execute malicious code within the memory space of a legitimate process. By doing so, they can evade detection and gain unauthorized access to system resources. Traditionally, this method involves three key steps: allocating memory in the target process, writing the malicious code into this allocated space, and then executing the code to carry out the attack.

THE ROLE OF WINDOWS THREAD POOLS:

Central to this new technique is the exploitation of Windows thread pools. Thread pools in Windows are integral for managing worker threads, which are used to perform various tasks in the background. These pools efficiently manage the execution of multiple threads, reducing the overhead associated with thread creation and destruction. In legitimate scenarios, thread pools enhance the performance and responsiveness of applications. Windows thread pools are a system feature used to manage multiple threads efficiently. These pools allow for the execution of worker threads that perform tasks in the background, optimizing the use of system resources. Thread pools are integral to the Windows operating system and are used by various applications for performing asynchronous tasks.

SafeBreach’s research delves into how these thread pools can be manipulated for malicious purposes. By exploiting the mechanisms that govern thread pool operations, attackers can inject malicious code into other running processes, bypassing traditional security measures. This technique presents a significant challenge to existing EDR solutions, which are typically designed to detect more conventional forms of process injection. Here are some examples of such manipulations:

  1. Inserting Malicious Work Items:
    • Attackers can insert malicious work items into the thread pool. These work items are essentially tasks scheduled to be executed by the pool’s worker threads. By inserting a work item that contains malicious code, an attacker can execute this code under the guise of a legitimate process.
  2. Hijacking Worker Threads:
    • An attacker might hijack the worker threads of a thread pool. By taking control of these threads, the attacker can redirect their execution flow to execute malicious code. This method can be particularly effective because worker threads are trusted components within the system.
  3. Exploiting Timer Queues:
    • Windows thread pools use timer queues to schedule tasks to be executed at specific times. An attacker could exploit these timer queues to schedule the execution of malicious code at a predetermined time, potentially bypassing some time-based security checks.
  4. Manipulating I/O Completion Callbacks:
    • Thread pools handle I/O completion callbacks, which are functions called when an I/O operation is completed. By manipulating these callbacks, an attacker can execute arbitrary code in the context of a legitimate I/O completion routine.
  5. Abusing Asynchronous Procedure Calls (APCs):
    • While not directly related to thread pools, attackers can use Asynchronous Procedure Calls, which are mechanisms for executing code asynchronously in the context of a particular thread, in conjunction with thread pool manipulation to execute malicious code.
  6. Worker Factory Manipulation:
    • The worker factory in a thread pool manages the worker threads. By manipulating the worker factory, attackers can potentially control the creation and management of worker threads, allowing them to execute malicious tasks.
  7. Remote TP_TIMER Work Item Insertion:
    • This involves creating a timer object in the thread pool and then manipulating it to execute malicious code. The timer can be set to trigger at specific intervals, executing the malicious code repeatedly.
  8. Queue Manipulation:
    • Attackers can manipulate the queues used by thread pools to prioritize or delay certain tasks. By doing so, they can ensure that their malicious tasks are executed at a time when they are most likely to go undetected.

These examples illustrate the versatility and potential stealth of using Windows thread pools for malicious purposes. The exploitation of such integral system components poses a significant challenge to cybersecurity defenses, requiring advanced detection and prevention mechanisms. The following thread pool work items that can be scheduled in Windows. Here’s how each one could potentially be vulnerable to attacks:

  1. Worker Factory Start Routine Overwrite: Overwriting the start routine can redirect worker threads to execute malicious code.
  2. TP_WORK Insertion: By inserting TP_WORK objects, attackers could run arbitrary code in the context of a thread pool thread.
  3. TP_WAIT Insertion: Manipulating wait objects can trigger the execution of malicious code when certain conditions are met.
  4. TP_IO Insertion: By intercepting or inserting IO completion objects, attackers could execute code in response to IO operations.
  5. TP_ALPC Insertion: Attackers could insert ALPC (Advanced Local Procedure Call) objects to execute code upon message arrival.
  6. TP_JOB Insertion: Jobs can be associated with malicious actions, executed when certain job-related events occur.
  7. TP_DIRECT Insertion: Direct insertion allows immediate execution of code, which can be abused for running malware.
  8. TP_TIMER Insertion: Timers can be used by attackers to schedule the execution of malicious payloads at specific times.

These vulnerabilities generally stem from the fact that thread pools execute callback functions, which attackers may manipulate to point to their code, thus achieving code execution within the context of a legitimate process.

MITIGATION

Mitigating threats that involve the exploitation of Windows thread pools for process injection requires a multi-faceted approach, combining advanced technological solutions with proactive security practices. Here are some potential measures and recommendations:

  1. Enhanced Detection Algorithms:
    • Endpoint Detection and Response (EDR) solutions should incorporate advanced algorithms capable of detecting anomalous behaviors associated with thread pool manipulation. This includes unusual activity patterns in worker threads and unexpected changes in thread pool configurations.
  2. Deep System Monitoring:
    • Implement deep monitoring of system internals, especially focusing on thread pools and worker thread activities. Monitoring should include the creation of work items, modifications to timer queues, and the execution patterns of threads.
  3. Regular Security Audits:
    • Conduct regular security audits of systems to identify potential vulnerabilities. This includes reviewing and updating the configurations of thread pools and ensuring that security patches and updates are applied promptly.
  4. Advanced Threat Intelligence:
    • Utilize advanced threat intelligence tools to stay informed about new vulnerabilities and attack techniques involving thread pools. This intelligence can be used to update defensive measures continuously.
  5. Employee Training and Awareness:
    • Educate IT staff and employees about the latest cybersecurity threats, including those involving thread pool exploitation. Awareness can help in early detection and prevention of such attacks.
  6. Behavioral Analysis and Heuristics:
    • Implement security solutions that use behavioral analysis and heuristics to detect unusual patterns that might indicate thread pool exploitation. This approach can identify attacks that traditional signature-based methods might miss.
  7. Zero Trust Architecture:
    • Adopt a zero trust architecture where systems do not automatically trust any entity inside or outside the network. This approach can limit the impact of an attack by restricting access and permissions to essential resources only.
  8. Regular Software Updates:
    • Ensure that all software, especially operating systems and security tools, are regularly updated. Updates often include patches for known vulnerabilities that could be exploited.
  9. Isolation of Sensitive Processes:
    • Isolate sensitive processes in secure environments to reduce the risk of thread pool manipulation affecting critical operations. This can include using virtual machines or containers for added security.
  10. Incident Response Planning:
    • Develop and maintain a robust incident response plan that includes procedures for dealing with thread pool exploitation. This plan should include steps for containment, eradication, recovery, and post-incident analysis.

By implementing these measures, organizations can strengthen their defenses against sophisticated attacks that exploit Windows thread pools, thereby enhancing their overall cybersecurity posture.

Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: BYPASS EDRS, INJECTION ATTACKS

Leave a Reply

You must be logged in to post a comment. Login now.