Introducing Early Cascade Injection: From Windows Process Creation to Stealthy Injection
By Guido Miggelenbrink at Outflank
Introduction
In this blog post we introduce a novel process injection technique named Early Cascade Injection, explore Windows process creation, and identify how several Endpoint Detection and Response systems (EDRs) initialize their in-process detection capabilities. This new Early Cascade Injection technique targets the user-mode part of process creation and combines elements of the well-known Early Bird APC Injection technique with the recently published EDR-Preloading technique by Marcus Hutchins [1]. Unlike Early Bird APC Injection, this new technique avoids queuing cross-process Asynchronous Procedure Calls (APCs), while having minimal remote process interaction. This makes Early Cascade Injection a stealthy process injection technique that is effective against top tier EDRs while avoiding detection.
Tags: Early Cascade injection, EarlyCascade, EDR Evasion, EDR userland initialisation, EDR-Preloading, Injection, Windows process ceation