Full Report
Introduction Authors: Max Hirschberger & Ogulcan Ugur Process Parameter Poisoning (P3) is an attack technique we developed that is used to inject code in foreign processes, without triggering typical detection mechanisms. Its ability to fly under the radar has been tested against four market leading Endpoint Detection and Response (EDR) solutions. Code injection succeeded in all cases and no alerts were created, even though the EDRs were configured to detect, block and remediate.
Analysis Summary
# Tool/Technique: Process Parameter Poisoning (P3)
## Overview
Process Parameter Poisoning (P3) is an advanced code injection technique that bypasses Endpoint Detection and Response (EDR) solutions by piggybacking malicious code onto legitimate process startup parameters. Instead of using highly monitored APIs like `WriteProcessMemory` or `VirtualAllocEx`, it leverages the memory automatically allocated by the Windows operating system for command-line arguments, environment variables, or startup information structures during process creation.
## Technical Details
- **Type:** Technique (Process Injection / Evasion)
- **Platform:** Windows
- **Capabilities:** EDR evasion, stealthy code execution, indirect memory writing, and process hijacking.
- **First Seen:** Published July 6, 2026 (by SensePost/Orange Cyberdefense).
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- **T1055 - Process Injection**
- **T1562.001 - Impair Defenses: Disable or Modify Tools** (By bypassing EDR monitoring)
- **TA0002 - Execution**
- **T1059 - Command and Scripting Interpreter** (Abusing command-line parameters)
## Functionality
### Core Capabilities
- **Indirect Data Transfer:** Injects shellcode into a target process by placing it within the `lpCommandLine`, `lpEnvironment`, or `lpStartupInfo` parameters of the `CreateProcessW` API call.
- **Allocation Bypass:** Avoids the use of `VirtualAllocEx` or `NtAllocateVirtualMemory`. The OS kernel automatically allocates memory for these parameters in the target process.
- **Write Bypass:** Avoids `WriteProcessMemory`. The OS handles the transfer of these parameters from the loader to the target process's memory space.
### Advanced Features
- **Thread Context Manipulation:** Uses `SetThreadContext` or `NtSetContextThread` to point the Instruction Pointer (EIP/RIP) or other registers to the memory address where the "poisoned" parameters are stored.
- **Permission Modification:** Uses `VirtualProtectEx` to change the memory protections of the legitimate parameter buffers (e.g., Command Line buffer) to `PAGE_EXECUTE_READ` to allow shellcode execution.
- **EDR Telemetry Silencing:** By using standard process creation flows, the technique generates "noisy" or "benign-looking" telemetry that many EDRs are configured to ignore to prevent false positives.
## Indicators of Compromise
- **File Names:** `p3-loader.exe` (Default name of the proof-of-concept tool).
- **Behavioral Indicators:**
- `CreateProcess` calls containing unusually long or high-entropy command-line arguments (up to 32,767 characters).
- Environment variables containing non-ASCII/binary data.
- Calling `VirtualProtectEx` on the memory regions associated with the Process Environment Block (PEB) or process parameters.
- Use of `SetThreadContext` on a newly created process in a suspended state to point to a memory region originally intended for strings.
## Associated Threat Actors
- No specific named groups currently attributed; however, the tool was open-sourced by **SensePost / Orange Cyberdefense** for research purposes.
## Detection Methods
- **Behavioral Detection:**
- Monitoring for `VirtualProtectEx` calls that grant execution permissions to memory regions pointed to by the PEB's `ProcessParameters` structure.
- Analyzing the entropy of command lines; strings that look like shellcode rather than human-readable text.
- Correlating `CreateProcess` (in suspended state) followed by `SetThreadContext` where the target address is within the process parameters block.
- **YARA Rules:** Can be developed to scan for the `p3-loader` binary or specific patterns of shellcode being passed into environment variable structures.
## Mitigation Strategies
- **Prevention:** Use **Arbitrary Code Guard (ACG)** and **Code Integrity Guard (CIG)** to prevent the allocation of executable memory that is not backed by a signed file on disk.
- **Hardening:** Implement strict EDR policies that monitor and alert on *any* `SetThreadContext` modification to the instruction pointer of a remote process, regardless of the API used to write the memory.
- **Constraint:** Limit the length of command-line arguments via policy where possible (though often impractical for production environments).
## Related Tools/Techniques
- **Process Hollowing:** Similar in that it creates a process in a suspended state, but P3 differs by not replacing the entire executable image.
- **Dirty Vanity:** Another advanced injection technique mentioned as a comparison.
- **Early-Bird APC Injection:** Shares the concept of injecting code early in the process lifecycle.
- **Process Argument Spoofing:** A related technique that modifies arguments *after* process creation to hide them from Task Manager/Process Explorer.