Understanding Process Injection:

Process injection is a technique often used by cyber attackers to execute malicious code within the memory space of a legitimate process. By doing so, they can evade detection and gain unauthorized access to system resources. Traditionally, this method involves three key steps: allocating memory in the target process, writing the malicious code into this allocated space, and then executing the code to carry out the attack.

The Role of Windows Thread Pools:

Central to this new technique is the exploitation of Windows thread pools. Thread pools in Windows are integral for managing worker threads, which are used to perform various tasks in the background. These pools efficiently manage the execution of multiple threads, reducing the overhead associated with thread creation and destruction. In legitimate scenarios, thread pools enhance the performance and responsiveness of applications. Windows thread pools are a system feature used to manage multiple threads efficiently. These pools allow for the execution of worker threads that perform tasks in the background, optimizing the use of system resources. Thread pools are integral to the Windows operating system and are used by various applications for performing asynchronous tasks.

SafeBreach’s research delves into how these thread pools can be manipulated for malicious purposes. By exploiting the mechanisms that govern thread pool operations, attackers can inject malicious code into other running processes, bypassing traditional security measures. This technique presents a significant challenge to existing EDR solutions, which are typically designed to detect more conventional forms of process injection. Here are some examples of such manipulations:

1. Inserting Malicious Work Items:
   • Attackers can insert malicious work items into the thread pool. These work items are essentially tasks scheduled to be executed by the pool’s worker threads. By inserting a work item that contains malicious code, an attacker can execute this code under the guise of a legitimate process.
2. Hijacking Worker Threads:
   • An attacker might hijack the worker threads of a thread pool. By taking control of these threads, the attacker can redirect their execution flow to execute malicious code. This method can be particularly effective because worker threads are trusted components within the system.
3. Exploiting Timer Queues:
   • Windows thread pools use timer queues to schedule tasks to be executed at specific times. An attacker could exploit these timer queues to schedule the execution of malicious code at a predetermined time, potentially bypassing some time-based security checks.
4. Manipulating I/O Completion Callbacks:
   • Thread pools handle I/O completion callbacks, which are functions called when an I/O operation is completed. By manipulating these callbacks, an attacker can execute arbitrary code in the context of a legitimate I/O completion routine.
5. Abusing Asynchronous Procedure Calls (APCs):
   • While not directly related to thread pools, attackers can use Asynchronous Procedure Calls, which are mechanisms for executing code asynchronously in the context of a particular thread, in conjunction with thread pool manipulation to execute malicious code.
6. Worker Factory Manipulation:
   • The worker factory in a thread pool manages the worker threads. By manipulating the worker factory, attackers can potentially control the creation and management of worker threads, allowing them to execute malicious tasks.
7. Remote TP_TIMER Work Item Insertion:
   • This involves creating a timer object in the thread pool and then manipulating it to execute malicious code. The timer can be set to trigger at specific intervals, executing the malicious code repeatedly.
8. Queue Manipulation:
   • Attackers can manipulate the queues used by thread pools to prioritize or delay certain tasks. By doing so, they can ensure that their malicious tasks are executed at a time when they are most likely to go undetected.

These examples illustrate the versatility and potential stealth of using Windows thread pools for malicious purposes. The exploitation of such integral system components poses a significant challenge to cybersecurity defenses, requiring advanced detection and prevention mechanisms. The following thread pool work items that can be scheduled in Windows. Here’s how each one could potentially be vulnerable to attacks:

1. Worker Factory Start Routine Overwrite: Overwriting the start routine can redirect worker threads to execute malicious code.
2. TP_WORK Insertion: By inserting TP_WORK objects, attackers could run arbitrary code in the context of a thread pool thread.
3. TP_WAIT Insertion: Manipulating wait objects can trigger the execution of malicious code when certain conditions are met.
4. TP_IO Insertion: By intercepting or inserting IO completion objects, attackers could execute code in response to IO operations.
5. TP_ALPC Insertion: Attackers could insert ALPC (Advanced Local Procedure Call) objects to execute code upon message arrival.
6. TP_JOB Insertion: Jobs can be associated with malicious actions, executed when certain job-related events occur.
7. TP_DIRECT Insertion: Direct insertion allows immediate execution of code, which can be abused for running malware.
8. TP_TIMER Insertion: Timers can be used by attackers to schedule the execution of malicious payloads at specific times.

These vulnerabilities generally stem from the fact that thread pools execute callback functions, which attackers may manipulate to point to their code, thus achieving code execution within the context of a legitimate process.

Implications for Endpoint Detection and Response (EDR) Solutions

The research by SafeBreach Labs tested the newly discovered Pool Party variants against five leading EDR solutions: Palo Alto Cortex, SentinelOne EDR, CrowdStrike Falcon, Microsoft Defender For Endpoint, and Cybereason EDR. The result was startling, as none of the tested EDR solutions were able to detect or prevent the Pool Party attack techniques. This underscores the need for ongoing innovation in cybersecurity defense mechanisms to keep pace with evolving threats. The exploitation of Windows thread pools for process injection, as highlighted in the SafeBreach article, has significant implications for Endpoint Detection and Response (EDR) solutions. These implications necessitate a reevaluation and enhancement of current EDR strategies:

1. Challenge to Traditional Detection Methods:
   • Traditional EDR solutions often rely on signature-based detection and known behavioral patterns to identify threats. However, the manipulation of Windows thread pools represents a more sophisticated attack vector that may not be easily detected through these conventional methods. This calls for an advancement in detection technologies.
2. Need for Deeper System Monitoring:
   • EDR solutions must now consider deeper system monitoring, particularly focusing on the internals of operating systems like thread pool activities, thread creation, and execution patterns. This level of monitoring can help in identifying anomalies that are indicative of thread pool exploitation.
3. Enhancing Behavioral Analysis Capabilities:
   • EDR systems need to enhance their behavioral analysis capabilities to detect unusual activities that could signify a threat. This includes monitoring for irregularities in thread pool usage, unexpected execution of code within thread pools, and other anomalies that deviate from normal system behavior.
4. Integration of Advanced Heuristics:
   • Integrating advanced heuristics and machine learning algorithms can help EDR solutions become more proactive in detecting new and sophisticated attack methods. These technologies can learn from evolving attack patterns and adapt their detection mechanisms accordingly.
5. Improving Response Strategies:
   • In addition to detection, EDR solutions must improve their response strategies to such threats. This includes automated containment measures, quick eradication of threats, and efficient recovery processes to minimize the impact of an attack.
6. Collaboration and Threat Intelligence Sharing:
   • EDR vendors and cybersecurity experts need to collaborate and share threat intelligence actively. By understanding the latest attack trends and techniques, such as those involving thread pool exploitation, EDR solutions can be better equipped to protect against them.
7. Educating Users and Administrators:
   • EDR solutions should also focus on educating users and system administrators about these new threats. Awareness can play a crucial role in early detection and response to sophisticated attacks.
8. Regular Updates and Patch Management:
   • Continuous updating and patch management are crucial. EDR solutions must ensure that they are updated with the latest threat definitions and that they can identify vulnerabilities in systems that need patching or updates.
9. Zero Trust Approach:
   • Implementing a zero trust approach can be beneficial. EDR solutions should treat every process and thread as a potential threat until verified, ensuring strict access controls and monitoring at all levels.
10. Forensic Capabilities:
    • Enhancing forensic capabilities is essential for post-incident analysis. Understanding how an attack was carried out, including thread pool exploitation, can provide valuable insights for strengthening EDR strategies.

In summary, the exploitation of Windows thread pools for process injection presents a complex challenge for EDR solutions, necessitating a shift towards more advanced, intelligent, and comprehensive cybersecurity strategies.

Mitigation

Mitigating threats that involve the exploitation of Windows thread pools for process injection requires a multi-faceted approach, combining advanced technological solutions with proactive security practices. Here are some potential measures and recommendations:

1. Enhanced Detection Algorithms:
   • Endpoint Detection and Response (EDR) solutions should incorporate advanced algorithms capable of detecting anomalous behaviors associated with thread pool manipulation. This includes unusual activity patterns in worker threads and unexpected changes in thread pool configurations.
2. Deep System Monitoring:
   • Implement deep monitoring of system internals, especially focusing on thread pools and worker thread activities. Monitoring should include the creation of work items, modifications to timer queues, and the execution patterns of threads.
3. Regular Security Audits:
   • Conduct regular security audits of systems to identify potential vulnerabilities. This includes reviewing and updating the configurations of thread pools and ensuring that security patches and updates are applied promptly.
4. Advanced Threat Intelligence:
   • Utilize advanced threat intelligence tools to stay informed about new vulnerabilities and attack techniques involving thread pools. This intelligence can be used to update defensive measures continuously.
5. Employee Training and Awareness:
   • Educate IT staff and employees about the latest cybersecurity threats, including those involving thread pool exploitation. Awareness can help in early detection and prevention of such attacks.
6. Behavioral Analysis and Heuristics:
   • Implement security solutions that use behavioral analysis and heuristics to detect unusual patterns that might indicate thread pool exploitation. This approach can identify attacks that traditional signature-based methods might miss.
7. Zero Trust Architecture:
   • Adopt a zero trust architecture where systems do not automatically trust any entity inside or outside the network. This approach can limit the impact of an attack by restricting access and permissions to essential resources only.
8. Regular Software Updates:
   • Ensure that all software, especially operating systems and security tools, are regularly updated. Updates often include patches for known vulnerabilities that could be exploited.
9. Isolation of Sensitive Processes:
   • Isolate sensitive processes in secure environments to reduce the risk of thread pool manipulation affecting critical operations. This can include using virtual machines or containers for added security.
10. Incident Response Planning:
    • Develop and maintain a robust incident response plan that includes procedures for dealing with thread pool exploitation. This plan should include steps for containment, eradication, recovery, and post-incident analysis.

By implementing these measures, organizations can strengthen their defenses against sophisticated attacks that exploit Windows thread pools, thereby enhancing their overall cybersecurity posture.

The post How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks appeared first on Information Security Newspaper | Hacking News.

This will covers tools from following areas:

• Ethical Hacking
• Digital Forensics Tools
• Reverse Engineering Tools
• Mobile Hacking

Top Ethical Hacking Tools

NMAP

Nmap is very popular among every pentester/ security researchers. Nmap scans server for open ports, services of any IP address. Nmap sends no. of packets & rely on responses. Nmap has no. of options to scan for any IP address. This tools has developed for different OS platforms. Nmap has also GUI version.

For downloading tool go to : https://nmap.org/

WPSCAN

WPSCAN is used to find vulnerabilities in wordpress. WPScan finds vulnerabilities in wordpress websites. This tool is known for scanning vulnerabilities within the core version, plugins and themes of wordpress website. WPScan even finds weak passwords, users and security configuration issues that are present on web applications.

For downloading WPSCAN : https://github.com/wpscanteam/wpscan

TRAPE

Trape is an OSINT research tool used in tracking people & executes the social engineering attacks in real time. Trape was developed to show how large internet companies can obtain confidential information. Trape can collect information like sessions of website, services to control users through browsers without telling them. The main aim is to help government organization, researchers & companies to find cyber criminals.

For downloading trape : https://github.com/jofpin/trape

OSMEDEUS

Osemdeus is an fully automated offensive tool used for vulnerability scanning and reconnaissance. It allows to run bunch of different scans together & finding vulnerability of your target. Some features which are provided by osmedeus are : subdomain scan. screenshot the target, basic recon like whois, Dig info & many other features, which are required in initial phases of pentesting.

For downloading osmedeus : https://github.com/j3ssie/Osmedeus

Metasploit

Metasploit is another popular used for social engineering attacks, getting reverse shell. This tools is available for all popular platforms. Metasploit comes with pre-build payloads which are used for testing. Metasploit is widely used tool & their are many contributors which have helped metasploit to grow. You can also opt out for Kali Linux where you will find metasploit to be pre-installed.

For downloading metsploit : https://github.com/rapid7/metasploit-framework

Top Digital Forensics Tools

SANS-SIFT

SIFT consists different forensics toolkit based on Ubuntu OS. It includes all the tools you need in forensic of incident response. SIFT can also perform advanced investigations & responds to intrusions using open source tools. SIFT supports many different formats such as Advanced Forensic Format, RAW Formats. Some other features such as timeline from system logs. SIFT provides cross compatibility between Windows & Linux.

For downloading SIFT : https://digital-forensics.sans.org/community/downloads

X-Way Forensics

X-way forensics is an advanced work environment used in computer forensics. X-ways forensics is very reliable & lightweight tool uses very minimum resources. This tool finds deleted files & offers many features that other forensics tools lack. X-ways forensics runs through USB stick on any Windows OS. X-way forensics offers disk cloning & imaging. This tool has feature to read partitioning & file system structures inside raw.

Download X-Way Forensics : http://www.x-ways.net/forensics/

The Sleuth Kit & Autopsy

The Sleuth kit comes with bunch of command line linux tools which analyze different disk images & recover files from disk images. The Sleuth kit is used to find file system data. The plug in allows to incorporate modules. Autopsy is GUI based program used to analyze hard drives & other storage devices. Autopsy has plugin architecture which helps to find modules or develop custom modules.

Download The Sleuth Kit & Autopsy : https://www.sleuthkit.org/autopsy/

Helix

Helix is an live CD based forensic suite used in incident response. It comes with many open source digital forensic tools. Helix offers hex editors, data carving, password cracking tools. This tool collects data from physical memory, network connection, user accounts, & many other features. Helix analyzes and compiles results in a reports.

For downloading helix : https://www.e-fense.com/products.php

CAINE

Caine (Computer Aided Investigative Environment) is another Linux distros which contains many digital forensics tools. The later versions of Caine is based on Ubuntu Linux. Caine offers user friendly interface & optimized environment to conduct a forensic analysis. Caine offers different digital forensic tools FTKImagerLit, Hex_editor, Nirsoft & many other tools which are used to gather or recover different files.

Download Caine : https://www.caine-live.net/

Top Reverse Engineering Tools

OllyDbg

OllyDbg is an 32 bit assembler used for analyzing different windows executable. With Ollydbg you can trace the registers, find procedures,. loops, API calls, tables & many other features. Ollydbg debugs multi thread applications. This tools supports MASM & IDEAL formats.

Download OllyDbg : http://www.ollydbg.de/

Ghidra

Ghidra is an popular reverse engineering tool used by NSA in analyzing suspicious or malicious executable. Ghidra is used to reversing the source code of any exe. Ghidra helps to analyze malware, bugs or viruses. Ghidra helps in giving proper understanding to reverse engineers, pentesters.

Download Ghidra : https://ghidra-sre.org/

Distorm3

Distorm3 is designed for fast decomposing libraries. It disassembles instructions in 32 & 64 bit modes. Distorm3 is the fastest dissembler library. Distorm3 offers clean & readable source code. Distorm3 entirely depends on C library. That’s why it can be used in Kernel modules.

Download distorm3 : https://github.com/gdabah/distorm

IDA Pro

IDA is designed for static analysis to ollydbg & 64dbg. IDA is an cross platform dissembler. It is mostly used in professional debugging. You can use its non-commercial version in reverse engineering. For using such product commercially you have to purchase commercial license. IDA Pro offers powerful dissembler. It supports different OS’s. IDA Pro supports x86 & x64 architecture. IDA Pro contains built in debuggers.

Download IDA Pro : https://www.hex-rays.com/products/ida/

WinHex

Winhex is designed for opening windows executable’s. Used as hexadecimal editor. Winhex mostly used by computer forensic investigators. Winhex consumes less memory, recovers deleted files from hard disks. Winhex is also compatible with floppy disks, CD-ROM & DVD. It supports different file formats. Winhex provides access to physical RAM & other resources.

Download Winhex : https://www.x-ways.net/winhex/

Top Mobile Hacking Tools

Kali Linux Net Hunter

Not to mention, Kali Linux most popular OS for penetration testing & also used by many security researchers. You have to install Kali Linux with Wifite for cracking WiFi passwords. Kali Linux net hunter in most android devices. Linux requires very less no. of memory resources to run.

Download Kali Linux net hunter : https://www.offensive-security.com/kali-linux-nethunter-download/

Reaver For Android

Reaver is an popular application for cracking Wifi passwords. Users don’t need any technical expertise to crack wifi password using such applications. Reaver offers easy to use features. Users can view list of access points & stations. Users can see activity of specific user. Reaver shown the AP of any manufacturer device. Saves the packets in .cap file. Sends the de-authentication to all connected users.

Download Reaver : https://forum.xda-developers.com/showthread.php?t=2456888

Dex2jar

Dex2jar is designed to decompile the android applications. It is used to read dalvik executable.

Download dex2jar : https://github.com/pxb1988/dex2jar

Apktool

apktool is another tool designed to reverse engineering Android apk files. Decodes the android apk codes closely to its native original form. Users can even modify android applications with apktool. Apktool also help in repeating the tasks.

Download apktool : https://github.com/iBotPeaches/Apktool

WifiKill

Wifikill is used in banning other users on same network. With wifikill you can block the users, grab traffic, showing websites of grabbed devices. Showing network names of devices. Wifikill supports above 4.x versions.

Download Wifikill : http://paranoid.me/wifikill/downloader/

The post List of Top Hacking Tools of 2019 appeared first on Information Security Newspaper | Hacking News.