capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard
verified publisher icon mandiant

detect PoolParty injection

Open Still34 opened this issue 10 months ago • 1 comments

Prerequisites

  • [x] Put an X between the brackets on this line if you have done all of the following:
    • Checked that your rule idea isn't already filed: search

Summary

A rule that detects PoolParty, a series of injection techniques that abuses Windows Thread Pools for shellcode injection.

Examples

Features

TBD

Additional context

https://www.youtube.com/watch?v=AvBO4f7blew https://www.blackhat.com/eu-23/briefings/schedule/#the-pool-party-you-will-never-forget-new-process-injection-techniques-using-windows-thread-pools-35446

Rule details

Namespace

References

Other rule meta information

Still34 avatar Feb 25 '25 09:02 Still34

Implementation for the technique SafeBreach-Labs/PoolParty

elad-levi-cyberark avatar Mar 12 '25 10:03 elad-levi-cyberark