virus logo Threat Signal Report

FortiEDR coverage: PoolParty Code Injection Technique

Description

What is the Attack? On December 6, researchers from SafeBreach published a new code injection technique for Windows OS called "Pool Party" in the Blackhat EU briefing.
The "Pool Party" technique allows injecting processes using the WINAPI thread pool and relies on the fact that every process has an automatically enabled thread pool. It then uses the API on the target process to add new routines to the existing thread pool.
Why is this Significant? The new injection technique implements eight different variants. These have been tested by SafeBreach researchers against 5 leading EDR products and reported to be effective in evading them.
Currently, no threat actors have been identified using this technique.
What is the Status of Coverage? FortiEDR blocks all PoolParty variants out of the box.
FortiEDR's injection detection does not rely on a specific API being called, but rather on a kernel behavior detection policy that allows unknown techniques to be detected.
Malicious actions by the injected threads, such as attempting to connect to C2, will be blocked by EDR.
FortiEDR customers with Collector versions 5.2.0 and 5.2.2 are protected with no update required to Collector or Content.

Appendix

The Pool Party You Will Never Forget: New Process Injection Techniques Using Windows Thread Pools (SafeBreach)

The-Pool-Party-You-Will-Never-Forget: New Process Injection Techniques Using Windows Thread Pools (BlackHat)


Date Dec 20, 2023
Threat/
Vulnerability		 Code injection technique
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services