Bypassing EDR with Windows Thread Pool Injection

TLDR: Modern EDR solutions rely heavily on hooking common process injection APIs like CreateRemoteThread. By abusing the Windows user-mode thread pool architecture, researchers have developed a new class of injection techniques that execute arbitrary code without triggering these standard hooks. This research, released as the PoolParty tool, demonstrates how to perform evasive credential dumping and bypass Windows Controlled Folder Access by manipulating worker factories and task queues.

Endpoint Detection and Response (EDR) platforms have spent years perfecting the art of catching traditional process injection. If you call VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread in sequence, you are going to get flagged. Most security teams have tuned their alerts to look for these specific API patterns. However, the underlying operating system provides a massive, complex surface area that EDRs often struggle to monitor comprehensively. The recent research into Windows thread pool abuse proves that we are still playing a game of cat and mouse where the OS itself provides the best hiding spots.

The Mechanics of Thread Pool Abuse

The Windows thread pool is designed to manage background tasks efficiently, using worker threads to process items from a queue. This architecture is inherently legitimate and ubiquitous across almost every Windows process. The core of this research focuses on the fact that these pools are managed by internal structures that are not typically monitored by security products.

A worker factory is the object responsible for managing the pool's threads. By gaining a handle to a worker factory in a target process, an attacker can manipulate how that process handles work items. The research identifies that you do not need to create a new thread to execute code. Instead, you can queue a malicious work item into an existing thread pool. When the pool processes that item, your code runs within the context of the target process.

The PoolParty tool automates this by targeting different types of work items:

• TP_WORK: Standard tasks queued for immediate execution.
• TP_IO: Asynchronous I/O operations that trigger a callback upon completion.
• TP_TIMER: Tasks that execute once a specific timer expires.

By using DuplicateHandle to gain access to the worker factory of a target process, you can bypass the need for high-privilege injection calls. Once you have that handle, you can use NtSetInformationWorkerFactory or manipulate the task queue directly to insert your payload.

Evasive Credential Dumping

Credential dumping is the bread and butter of post-exploitation, but it is also the most heavily monitored activity. Tools like Mimikatz are often caught the moment they attempt to access the memory of lsass.exe. The research demonstrates that by using thread pool injection, you can force a target process to dump its own memory.

Instead of an external process reading lsass.exe memory, you inject a payload into a process that already has the necessary permissions. This payload then triggers a memory dump. Because the dump is performed by a legitimate, trusted process, the EDR often ignores the activity. This technique is particularly effective against Controlled Folder Access, a feature designed to prevent unauthorized processes from modifying files in protected directories. By injecting into a process that is already on the allow-list for that folder, you can write your dump file without triggering a block.

Practical Engagement Considerations

For a pentester, this research changes the approach to lateral movement and privilege escalation. When you land on a machine, your first instinct is often to look for ways to inject into high-privilege processes. If you rely on standard injection tools, you will likely be caught by the EDR's behavioral analysis.

During an engagement, you should prioritize identifying processes that have active thread pools and the necessary permissions for your objectives. The PoolParty repository provides a clear roadmap for how to weaponize these techniques. The key is to avoid the "noisy" APIs. If you find yourself in an environment with a mature EDR, stop reaching for the standard toolset and start looking at how the OS handles background tasks.

Defensive Blind Spots

Defenders need to move beyond simple API hooking. If your detection strategy is limited to monitoring CreateRemoteThread or QueueUserAPC, you are missing a significant portion of the attack surface. Detection engineering must evolve to include monitoring for the manipulation of internal kernel objects like worker factories and I/O completion ports.

While it is difficult to monitor every interaction with these structures, you can look for anomalies in how processes interact with their own thread pools. For example, a process that suddenly starts queuing work items from an unexpected source or a process that has its worker factory handle duplicated by an unauthorized process should be a high-fidelity alert.

The reality is that as long as we rely on the operating system to perform complex tasks, there will be ways to abuse those tasks for malicious ends. This research is a reminder that the most effective attacks are often those that blend in with the normal, day-to-day operations of the system. Keep testing your assumptions about what is "normal" behavior, and keep digging into the internals of the OS. The next big bypass is likely hiding in a feature you haven't looked at yet.