VYPR
researchPublished Jul 10, 2026· 1 source

New 'Process Parameter Poisoning' Technique Bypasses Four Leading EDR Solutions

A novel Windows technique dubbed 'Process Parameter Poisoning' allows attackers to hide malicious code within legitimate process startup data, evading detection by leading EDR solutions.

A newly disclosed proof-of-concept technique for Windows, named "Process Parameter Poisoning," demonstrates a sophisticated method for attackers to inject malicious code into legitimate processes while circumventing the detection capabilities of leading endpoint detection and response (EDR) solutions. Unlike traditional process injection methods that often involve direct memory manipulation and trigger common security alerts, this technique leverages the way Windows initializes new processes.

The core of Process Parameter Poisoning lies in its exploitation of the Process Environment Block (PEB), a data structure that holds information about a process, including its command-line arguments and environment variables. Instead of writing directly to a target process's memory, an attacker can place their shellcode or malicious payload within these startup parameters when a new process is created. This approach cleverly disguises the malicious payload as legitimate initialization data, making it significantly harder for security tools focused on traditional injection indicators to identify.

Researchers behind the public "P-Shellcode Loader" project on GitHub have shown that this method can bypass detection mechanisms in at least four major EDR products. The technique avoids well-known API calls such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread, which are frequently monitored by security software. By embedding the payload in the PEB's startup data, the loader then modifies the new process's main thread to execute the injected code, effectively hijacking the program's execution flow without raising typical red flags.

Orange Cyberdefense, in a report shared with Cyber Security News, highlighted that this method does not require the target process to be created in a suspended state or involve later thread suspension, actions often associated with other stealthy techniques like process hollowing. The reduced number of conspicuous operations makes the activity more difficult to trace for behavior-based security systems, though it does not render the activity entirely invisible.

While the research is not currently linked to any active malware campaigns or specific threat actors, its implications for defense are significant. Process injection remains a prevalent technique used by malware to blend in with legitimate system activity. The success of Process Parameter Poisoning underscores the need for defenders to broaden their monitoring strategies beyond traditional memory manipulation alerts.

To detect this technique, security teams are advised to monitor for unusual CreateProcessW inputs, such as excessively long command lines, abnormal environment variables, or unexpected data within STARTUPINFO structures. Correlating process creation events with subsequent rapid thread context changes, particularly those involving NtQueryInformationProcess and PEB reads, followed by memory permission modifications and NtSetContextThread calls, can help identify this attack pattern.

The proof-of-concept has certain limitations, such as the inability to directly inject shellcode containing null bytes due to the nature of null-terminated strings used for process parameters. However, the researchers have developed workarounds, including generating null-byte-free code and employing staged routines to reconstruct arbitrary payloads, such as loading DLLs or fetching content from remote locations.

Ultimately, Process Parameter Poisoning highlights a critical blind spot in EDR solutions that heavily rely on detecting traditional memory-writing and process-creation behaviors. Defenders must adapt by extending telemetry to cover process startup data and thread-context manipulation, alongside validating existing detections against this novel attack vector. While not a silver bullet, layered security controls including application allowlisting and least-privilege principles can help mitigate the risk.

Synthesized by Vypr AI