EDR, Vulnerability Management, Endpoint/Device Security

Major EDRs fail to flag novel process injection techniques

None of the endpoint detection and response solutions from Microsoft, SentinelOne, CrowdStrike, Cybereason, and Palo Alto Networks were able to detect or prevent eight new process injection techniques using Windows thread pools to execute malicious code dubbed "Pool Party," reports SecurityWeek. Initially discovered to be part of Pool Party was a technique exploiting worker factories' start routines, while the others exploit the task, I/O completion, and timer queues, according to a SafeBreach report. Such findings indicate that software providers should continuously evolve their EDR solutions amid threat actors' persistent development of novel and increasingly sophisticated process injection techniques. "Sophisticated threat actors will continue to explore new and innovative methods for process injection, and security tool vendors and practitioners must be proactive in their defense against them," said SafeBreach, which has already informed all of the EDR vendors whose solutions were used in the study regarding the attack techniques.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.