Skip to content

Add Thread Pool injection techniques #1087

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mike-hunhoff merged 5 commits into from
Dec 4, 2025
Merged

Add Thread Pool injection techniques #1087

mike-hunhoff merged 5 commits into from
Dec 4, 2025

Conversation

@Still34
Copy link
Contributor

@Still34 Still34 commented Nov 29, 2025

Summary

This PR adds a series of injection techniques mentioned in "The Pool Party You Will Never Forget: New Process Injection Techniques Using Windows Thread Pools" in BlackHat EU 2023; this closes #1008.

The proposed rules may or may not match false positives, and there currently aren't any known in-the-wild samples that use this injection technique; therefore, the proposed rules currently are better fit for the nursery category. The referenced sample is a copy of the locally-compiled version of PoolParty referenced in the original research.

mike-hunhoff
mike-hunhoff requested changes Dec 1, 2025
View reviewed changes
Copy link
Collaborator

@mike-hunhoff mike-hunhoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work @Still34 ! I've left a comment for your review, and, please add a description field to the meta section of each rule containing a high-level summary of the corresponding technique.

@mike-hunhoff
Copy link
Collaborator

mike-hunhoff commented Dec 1, 2025

@Still34 we're failing lints here, see:

    (nursery)  inject shellcode using thread pool work insertion with TP_IO
      WARN: filename doesn't match the rule name: Rename rule file to match the 
rule name, expected: 
"inject-shellcode-using-thread-pool-work-insertion-with-tp_io.yml", found: 
"inject-shellcode-using-thread-pool-work-insertion-with-tp-io.yml"
      WARN: referenced example doesn't exist: Add the referenced example to 
samples directory ($capa-root/tests/data or supplied via --samples)


    (nursery)  inject shellcode using thread pool work insertion with TP_TIMER
      WARN: filename doesn't match the rule name: Rename rule file to match the 
rule name, expected: 
"inject-shellcode-using-thread-pool-work-insertion-with-tp_timer.yml", found: 
"inject-shellcode-using-thread-pool-work-insertion-with-tp-timer.yml"
      WARN: referenced example doesn't exist: Add the referenced example to 
samples directory ($capa-root/tests/data or supplied via --samples)


    (nursery)  inject shellcode using thread pool work insertion with TP_WORK
      WARN: filename doesn't match the rule name: Rename rule file to match the 
rule name, expected: 
"inject-shellcode-using-thread-pool-work-insertion-with-tp_work.yml", found: 
"inject-shellcode-using-thread-pool-work-insertion-with-tp-work.yml"
      WARN: referenced example doesn't exist: Add the referenced example to 
samples directory ($capa-root/tests/data or supplied via --samples)

You can also run our lints locally to double check before your next commit.

Also, if you create a PR at https://github.com/mandiant/capa-testfiles for e999b36d5f9783178f0a4efa35a25d158f8d94325c3d6794f4153235c0aee60b we can move these rules out of the nursery before merging.

Still34 added a commit to Still34/capa-testfiles that referenced this pull request Dec 3, 2025
@Still34
Add PoolParty PoC compiled sample
a613dbf 
- Related PR mandiant/capa-rules#1087

Signed-off-by: Still Hsu <[email protected]>
@Still34 Still34 mentioned this pull request Dec 3, 2025
Merged
@Still34
Copy link
Contributor Author

Still34 commented Dec 3, 2025

I've updated the rules accordingly - please take a look 🫰

mike-hunhoff
mike-hunhoff requested changes Dec 3, 2025
View reviewed changes
mike-hunhoff pushed a commit to mandiant/capa-testfiles that referenced this pull request Dec 3, 2025
@Still34
Add PoolParty PoC compiled sample (#299)
cfca402 
- Related PR mandiant/capa-rules#1087

Signed-off-by: Still Hsu <[email protected]>
@Still34
Copy link
Contributor Author

Still34 commented Dec 4, 2025

Yeah, that's fair 👍 - removed

mike-hunhoff
mike-hunhoff approved these changes Dec 4, 2025
View reviewed changes
Copy link
Collaborator

@mike-hunhoff mike-hunhoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@mike-hunhoff mike-hunhoff merged commit 6120dfb into mandiant:master Dec 4, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mike-hunhoff mike-hunhoff mike-hunhoff approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

detect PoolParty injection

2 participants

@Still34 @mike-hunhoff