In this talk, we will delve into the internals of the Windows user-mode thread pool, a component that seems to have been overlooked by security researchers in the past. Our exploration begins with an introduction to the thread pool architecture, its work item queuing mechanism, and the execution process managed by the scheduler.

Moving forward, we will uncover how an attacker can take over the thread pool, being able to insert any type of work item into any process on the system.

We will unveil the "PoolParty" tool for the first time, a collection of new and fully undetectable process injection techniques that leverage the Windows user-mode thread pool.

Concluding our presentation, we will demonstrate how by utilizing "PoolParty" attacks we bypass additional detection mechanisms such as ransomware and credential dumping detections.