The Poisoning Method
Security researchers have published a proof of concept for a new Windows process injection technique that avoids several classic indicators monitored by endpoint detection and response (EDR) tools. Named Process Parameter Poisoning, the method does not write malicious code directly into a target process. Instead, it embeds shellcode within the startup data that Windows uses when launching a new process. This approach places the payload inside the Process Environment Block (PEB) through values like the command line, environment block, or a reserved startup field. By targeting data structures created during normal process initialization, the technique circumvents routines such as VirtualAllocEx and WriteProcessMemory that security products commonly flag.
The loader, released as a public project called P-Shellcode Loader, alters the memory permissions of the stored payload and redirects the target’s main thread using NtSetContextThread. This avoids the use of CreateRemoteThread or suspending the target process, actions often associated with traditional injection or process hollowing. The researchers from Orange Cyberdefense reported that the method successfully bypassed detection in tests against four leading EDR solutions, revealing a potential blind spot in defenses focused on memory allocation and thread creation.
Detection Strategies
The technique relies on a smaller set of conspicuous operations, reducing the behavioral footprint available to security tools. Defenders should broaden monitoring to include unusual inputs during process creation, such as abnormally long command lines, atypical environment data, or unexpected values in STARTUPINFO structures. Correlating process startup with rapid thread context changes can also reveal the attack sequence. For example, a combination of PEB reads, memory permission changes from readable/writable to readable/executable, and NtSetContextThread should prompt further investigation.
The proof of concept has limitations. Process parameters use null terminated strings, so shellcode containing zero bytes cannot be directly copied. The researchers addressed this by generating null free code and using a staged routine to rebuild arbitrary payloads later. While the technique is not tied to any active malware campaign, it highlights the need for layered defenses. Application allowlisting, least privilege controls, and timely patching will not eliminate this method but can reduce the likelihood that an attacker gains the initial code execution required to deploy it.
Source: Cyber Security News
