When The Hunter Becomes The Hunted: Using Minifilters To Disable EDRs

hello hi thank you everybody for for coming today um so yeah let's get started right away this title you see here is actually uh inspired or even copied from an alter security blog post that I saw few months back and they had sort of a whole blog post on how you could byass EDR using custom callbacks so that got me thinking on how we could do that potentially with mini filters so yeah let's get to it quick intro who am I um my name is Tom I'm French but I live in London now I'm working in instant response but that's actually a fairly recent switch um up until September I was um in offensive security that's why I spent pretty much

my whole career up until two months ago so yeah I've mentioned um here on this slide that this is my first major conference talk so little bit anxious you might be able to tell but I definitely looking for some feedback at the end of it if you have some uh there'll be a q& session as well so yeah if you have anything really looking forward to hear that then on the agenda for today we'll start with a bit of background on edrs like what components are involved in edrs how they work together but specifically we'll focus a bit more on the mini filters because that's what we're here for in the second part we cover a few old and more recent attacks

uh involving Min filters then we get to the main juicy stuff the main technical part where we see how we can actually um turn things around on the EDR and use Min filters against them and finally we'll see um I guess a bit how as Defenders we could prevent that from happening or detect it at least so diving right in um the EDR agent first let's look at all the blue elements we have here these are I would say broadly speaking the um elements that make up your operating system so you have your file system to manage your files on the left side you have your network stack for communication on the right top side um you have images and

and processes to execute code so that really makes up uh in high level terms your operating system in Orange you have the elements that the operating system makes available to the EDR for security purposes so you have the etw event tracing for Windows uh which just provides some logging basically and the ADR can consume uh these log source and analyze these logs to or maybe correlate them with some other Telemetry sources they have to discover malicious behavior and you have the Elam service on the right side which is the early launch anti malware which allows pretty much to load um the Elam driver that's right above it um before most drivers on the system for anti purposes nine red we

have our juicy stuff we have the actual EDR elements um not all of them are actually implemented by all EDR vendors but I would say uh most Ed vendors Implement most of them because well the more security features you have usually the better starting with obviously the mini filter uh the file system mini filter on the left side which allows to monitor the file system for um events and will be the main focus of today next to it we have the static scanner um pretty pretty I would say a common functionality you just scan files yes or no is it malicious that's what it does next to the stat scanner we have the kernel mod driver and the hooking dll um

these two work together to sort of try and detect some maliciousness whenever Windows API called windows apis are called uh obviously the Kern driver also has a lot more security purposes for monitoring things like image Creations process Creations these type of things um but we won't go into too much detail next to it Network filter similar to the uh file system minifilter you have the equivalent for Network and then finally at the very bottom you have the agent service um I would say this is probably the most crucial piece of the EDR because its role is really to aggregate all the Telemetry created by all the other sources that are there and sometimes it does more than that it

might contain you know U maybe a machine machine learning module it might corate events generate others these type of things um but it's generally where all the uh I would say it's the main service that will ship the logs to let's say your data lake or your EDR provider or wherever remote server you have to to ship those logs too so it's really the central piece of the EDR and and if this whole architecture really without it you pretty much have no EDR on your [Music] endpoint so let's dive a bit into mini filters um put it shortly a mini filter attaches to the file system stack so they are just scel drivers that sit between um

user L where you and I just interact with the file system create files open them these kind of things and the actual file system that will perform the operation so what you see on the screen here is an iack for the filter manager which in nut shell is the system that allows developers to write Min filters and to have them executed on the system what it means really is any developer can create their own mini filter driver install it on the machine and then start filtering event so whenever you have a user who tries to open a file if your mini filter filters for that specific event then you can take action um on that specific file opening uh

event so yeah it can be simple as that and what it's commonly used for U well obviously most interesting use case for us is the first one here um where you have file being scanned by the EDR before for instance the file being executed um and it's one of the main reasons why drrs Implement Min filters actually but they can also have uh other usage they can just collect data that can be used again for security purposes metadata such as well events on uh file creation file deletions these type of things um it's a really good source of truth because you're sitting at a fairly low level in the system you're already in the kernel so there are other

solutions that can do that in Newland but you you're here um much closer to what really happens on the file system and with these other Solutions and yeah Min files have also other usage in backup agents or file encryption decryption agents for instance but not really a concern for us today a very important point that we need to touch on before we get to the really juicy stuff is um altitude I bring this up because it'll be used in uh some of the attacks that we see afterwards so each mini filter must have a distinct altitude this altitude is just literally a value that defines the order in which each minifilter is executed on the system if you have

multiple minifilter sorry multiple mini filters that are registered they are given by um Microsoft to the vendors so if you're an EDR provider you request an altitude from Microsoft they'll check your legit give you one altitude value and then you need to use that in your mini filter driver um but really why do we need this concept it's because the filter manager needs to know which mini filter executes first when M multiple mines are registered so there are really two orders that matter first one is the the pre-operation call back order second one is the post-operation call back um so whenever you have an event on file system event this filter manager will intercept that file operation and will

intercept it sort of twice once before it's completed so that's the pre-operation Callback and once after it's completed that's the postoperation call back and the order in which um the scbs areed depends on the altitude um so Min filters with a high altitude simply have higher priority on the pre-operation and Min filters with the lower altitude have higher priority on the post operations and I think with that we've covered everything to see our first attack first thing U mini filter unloading um you could argue that's not really an attack and I would kind of agree with you um but this is probably the shest way of evading mini filters in a system simply remove them unload them

so uh this fltm c.ex is a command that's provided by Microsoft to manage Min filters in general and it has an option to Simply unload mini filters from the fight from the filter manager so that's pretty convenient as an attacker because once that link is severed well filter manager doesn't pass execution to that mini filter anymore so if you're unloading a nard a nidar mini filter most likely they won't really look at your files anymore at least from the manufacturers perspective um but there are a few catches first one is it requires some specific privileges this SC loader driver privilege um you may know if you have this privilege chances are you already admin or system on the machine

so it's not that easy to get uh second EDF providers might also try to uh hide them Min filters by giving them some sort of uh random names than just naming it hey um you know Microsoft EDR mini filter um overall an attacker would still be able to find those but requires a bit more effort and third um the unloading event does generate some noise specifically you have an event ID number one um generated by the filter manager for this so if you monitor that you might be detected second attack here is um altitude sickness so the first time I saw this technique it was actually introduced in a blog post again by tier zero

security and the principle is actually very very simple um we've seen before that each Minit needs to have a unique altitude value to define the order in which they are called but what we need not talk about is what would happen if two minits had the same value um because these altitudes are just values that are set in the registry of each minifilter if we have two minif filters nothing prevents us from changing one value to the other and this is exactly what the researcher from tier zero security did um on the left side of the screen we have two mini files of Interest the there a value that's backed out here it's actually well-known EDR so for i'

say um respect purposes we didn't put it on the presentation and then we have the the cismon driver um then what the researcher from tier zero did is just changed the cismon altitude value to that of the EDR minifilter and reboot and after that we see that the EDR minifilter is simply gone reason is at boot time it couldn't register because the altitude value was already taken now question you might have on this is why was the edas mini filter not loaded instead of the Sison driver um because finally we have those two Min filters they have the same value in the same altitude um why is one taking precedence over the other um answer I would say short answer

is the altitude is not the only um miniature setting that affects the Lord order so you have this thing called the Lord Order Group Microsoft has a nice documentation uh on this and you see actually on the on this side right here the infrastructure one is the the one that loads first so if your mini filter is part of that load Order Group while the Ed minifilter is not chances are yours will load first uh same goes for the start type and service type these are all parameters that we can play with to have our mini filter load before or at least if we're using an existing minif that's already present on the system or say a

kernel driver that's already present on the system we can look at these parameters to select um the proper one to play with next attack is a bit more interesting is um bring your own mini filter so what you see on the screen here is the textbook official Microsoft documentation which is sort of giving us a road map um on minifilter evasion with the FLT preop complete value um so what it's telling us is if we return the specific value during manosos pre-operation callback none of the Min filter below will be executed for that processed event so let's be a bit more visual about this if we could take a look at that uh filter manager again the

definition we just saw just means that if I manage to register my own mini filter I can write logic to return this pre-op complete on all the files that are of interest to me for instance mimic. exe or whatever other executable I have then any file system event involving these files will now be completed at my minifilter level only and will not be passed down to the EDR minifilter um so that simply prevents the EDR minifilter from intercepting any uh file system operation on my specific files um you might have already noticed though you need two things for this to work first you need to register your own minifilter and we'll see later on there's plenty of prevention and

detection opportunities for this and you also need your mini filter to be high enough in the chain it needs to be higher than the edrs own mini filter so we need a high altitude here which is also sort of a red flag so if we remind a little bit um we just covered this bring your own mini filter attack which relies on that completion of operation for wh listed files um in this attack we have our own mini filter uh we detect events involving our own malicious files we whitelist them so they're not passed on to the EDR and that works as expected but it's also not super practical um because any new file that we want to

whitelist we need to recompile our driver we need to reload it we need to reboot the machine so that's a lot of events and that's a lot of detection opportunities um in general from a blue team and and good security perspective we want to deny everything by default and white list only the known good and that's good practice but from a red team perspective we much rather like if it's the other way around uh where we have everything Allowed by default because that's where we find the juicy stuff that's where we have the misconfiguration the edge cases that sort of allow us to to slip through so what if we flip this attack and sort of

did the opposite instead of white listing non bad which is Blacklist non good and that's the idea of this sort of Revisited version theory behind it is also quite simple Min filters are the intersection between userland and the file system so similar to before um we can just control what is passed on uh and we can control access to the file system um the attack here this is exactly that principle we register Min filter but instead of using an allow list for the files we want to sleep through um specifically we attack the EDR itself and the EDR files so the pseudo code on the right here is pretty straightforward we have a blacklist of EDR related

executables and if any action is attempted on them we deny that action and simply complete the call back operation and that has another major advantage as well um the altitude can be as high as we want here or as low as we want because we don't need to complete these operations before the Ed's own Min filter because we're targeting non-malicious files we're targeting the EDR files and simply deny access to them so that when the EDR boots up it tries to access those files to load its agent and simply con so our full attack chain looks like this um at first we have a new system it's untouched the EDR is running we don't have any mini filter everything

looks good um Second Step we prepare the attack we need to register I me if so we need to obviously develop it register it uh one once we have that we reboot our system so that our mini filter can load and once we load the mini filter starts obviously filtering events and when the EDR tries to start its service it tries to go to its um executable tries to load that image if it says no so no image load means no EDR service means well pretty much no EDR agent running at all on the system and that's step five where the agent service is not running any anymore so from a technical perspective um let's get a bit into the the details

First Step really is to tell our filter manager that hey I have a new Mini filter that you now need to take into account um and this is actually what is done on the top function here top left with the uh FLT register filter function to do that we need a uh a filter registration object and to create that filter registration object we first need to Define what callbacks our minifilter will handle so on the right side here we see two elements in the callbacks array um I'll start with the second one because it's the the easiest one it's just here because Microsoft specifies in that documentation that every callback array must have this operation and value

at the end so that's the only reason really is there um now more interestingly the first element has four sub elements uh first argument is probably the most important it's that RP MJ create it's the value that says we want to intercept um any file system event that is um when a file handle is created so that happens when you try to access a file that happens when you try to create a file pretty much all major file operations require um that event to be triggered so for us that's very juicy because it pretty much allows us to intercept everything uh second argument is not used in our case and uh third argument is um very crucial as well

because that's a pointer to our own function that will be executed during that callback so this is where we Define our logic to uh to deny the files uh last element is null it could be also a postoperation call back but we don't need it in that case so now we're getting to the cruxs of it this is our actual logic that will be implemented here if we recall earlier we said the objective was to Blacklist uh EDR related files uh so that's exactly what we do on line six and seven here um we just ignore a few parameters because we don't use them on line eight we Define sort of a default status variable so when the events involve

files that are not the EDR related files this is what we return which is C pretty much most of the time actually and we also ignore kelal quers because we just want to prevent the EDR processes from starting at all we want to prevent the ER from accessing its own executable um but this can be done directly in userland we don't need to to worry about Canal drivers for that um and then we have at the very bottom line 16 to 18 uh we Define a constant an ARR this is all the files that we want to deny the access to so in this example here I just have test.exe but we'll see in the demo later um have

actually Defender um rated files so we'll see how we can prevent Defender from starting last piece of code um probably the most straightforward code um of this presentation online four we get the final information from the data that is passed to us via our call back online six we parse it um I'm passing on the details of why we need to do that Microsoft documentation is very clear but we simply need to get the file name pretty much and then we iterate over array of files that we want to block and if we have a match with the current file that is being processed then we deny access uh otherwise we'll just return the the default

value and in terms of technical that's pretty much it so just a quick recap before we we move on to the demo um in short this attack works by adding a new Mini filter and enture it executes on every file access operation then on each of those operations um we use the minifilter logic to compare the file name to known files that we want to to deny access to and if we have a match deny access to the file that's pretty much all you know really to understand the the PC uh which is available on GitHub I should have actually included the link um but I can share that and maybe afterwards can add in the

presentation um and if we think about next steps here we've covered sort of the wh listing of non malicious files we've covered the blacklisted the blacklisting sorry of known um good files but we could potentially combine both that might bring some robustness to the attack um but I have not tried it just yet so it's sort of uh open for the reader to to do this exercise but could be worth a shot Now demo time all right let me see if I can have my VM

popup

okay sorry it might take a little while to load would that work yes so in this demo we'll uh actually proceed in two steps first we'll just see that we have the code for mini filters then we'll see how we can sort of make sure that our minifilter actually denies access to the file by

all right let's see if I can show you guys the code in Visual Studio first that might take a while to load so in the meantime let me just get the comment prompt of course I didn't mention that but you do need administrator privileges because first of all you need to load your driver in my case it's an unsigned one because I didn't pay and go to Microsoft to tell them hey I want to sign some Kel export type of things um so you need to turn the machine into test mode and allow unsigned drivers to be loaded which is kind of a red flag also for that attack um and then you still need

to load things into the kernel so obviously you need uh administrative rights for this you might have noticed here the project the name of the project is null filter because actually I didn't write this from scratch Microsoft has a um pretty cool sort of rle of all possible filters that you can write and I just Reed one of their examples but if we have a look here at the 2C part um we have obviously R test.txt file here that will uh do some experiment with that first and then we have all these f is to actually elastic and Defender you could have a lot of other edrs here I don't foresee um any EDR really having

uh any other let's say issue with this um simply because we're preventing the process from starting so there really not much they can do in the first place um and yeah I've already pre-compiled that for demo purposes we all know how it goes and let's get to it so at first I have let me put this away I have my test.txt normally I should be able to access it right now you see me and if everything goes well in a short moment we won't be able to see that

anymore all right so first operation here we're simply creating um a service for mini filter the start type is on demand so it's it's not at boot time just yet I need to start it manually and it's simply uses uh using the the minifilter the compiled version of that minifilter obviously uh to create the service there are a few registry keys we need to import uh it's mostly actually the altitude that we need to set so that's what we're doing here and now if I start that mini filter let me just make sure that the test.txt is closed yes it has started and test. should not be accessible anymore because we simply deny access to that

file all right let me now stop the [Music] service delete it and we will now recreate it but this time we will make it start at system [Music] all right and we need to still import the registry keys without this registry key you'll get a blue screen I experienced that yesterday literally what I was trying to prepare that demo not fun all right and now all we have to do is reboot our next uh boot time our mini filter should be applied and the EDR should be um simply not running so before that let's just make sure that Defender is actually running so you guys can see I'm not doing any Shady things yeah we have real time protection

on if we check process Explorer as well we should be able to see um I believe this msmp yeah we can see the msmp NG exe U process running and now I will simply reboot

fingers crossed no blue

screen okay we've passed the most and now let me have a look at the same process Explorer and see if this msmp is there it is not so it looks like it worked and if we take a look at Defender I believe we'll just say loading status for a little while yeah getting prodection INF for uh if we wait 5 to 10 minutes it should show up as nothing's running U but actually it's pretty much disabled um let me see I have a mimat here we can try and execute it all right just copying this to desktop and then another [Music] CMD and we're in so so yeah EDR is disabled everything works sort of as

expected that's pretty much the extent of of this demo can I go back here and continue presenting from the current all right

cool okay so how can we prevent that from happening um we saw earlier unloading is the simplest way to get rid of a minil but it's also the easiest one to prevent and detect first of all requires that se load driver privilege not something really any user should have um of course you always have the problem of privilege escalation so if you have an attacker who escalates to system then you can't really prevent this right um but that's true across pretty much all of the attacks that we've seen today um the detection is also as easy as simply checking for the use of uh this flmc exe specifically with that unload argument but there are two

problems with that approach as well um first one command line ofation is a real thing there are like a thousand ways you could write that same command and at least as far as I know no ER is just capable of catching them all right now and the second one is actually the filter onload function so this uh win32 API that can also be used so an attacker could just write their own little program um the language of the choice use this function and and get really the same result um the only sort of detection point that we have there is the use of the wst detection for prevention purposes um is to monitor the use of the FLT libdl

which is where that filter on not function is defined but again um a few problems here a lot of leged programs use that dll so lots of false positives and the list of DLS are loaded into a process could also be faked um or rather an attacker could try and resolve the delay dynamically and so on there's a lot of techniques like that out there so also lots of false negatives potentially so yeah not a really great start for us on this point um second attack that we saw was the altitude sickness so if recall this attack the whole technique relies on the fact that we know the edrs minil altitude beforehand and we register

another driver at the same altitude effectively preventing the EDR minifilter from loading in the first place to count of this EDR vendors now generate the altitude dynamically at good time so instead of a fixed altitude value it still uses that fixed sort of integer part that is given um by Microsoft but ID vendors now add a five digigit decimal part that is totally random and generated at low time so that prevents us pretty much from setting the same altitudes as the OS Min filter because we would have to guess those um random five digits and we could try and reforce it but you need to reboot every time so thousand reboots or 100,000 reboots you need to have a long time and

as far as I know there's no bypasses available at this time so we're good on that point now going back this time on our U by attack the basis of the attack is you register your own mini filter uh at a higher altitude than the edrs and then you prevent all um file operations from reaching that edrs mini filter at least for your files of Interest so let's see what ioc's we can use to detect this first thing if an attacker develops their own manaure and we've touched a little based on that most likely they won't be able to sign it so well good thing to do is not allow any unsigned driver to be loaded easy enough because

Microsoft hasn't allow it by default so good point there but stolen certificates are a thing we've seen attacks with that before um so you might still be able to have sort of unle but signed driver that you could load um that way and system again is always going to be a problem with system rights you can disable signature enforcement and not side drivers which is pretty much what I did in the demo and you can also uh potentially install your own certificate Authority on the machine then s self sign the driver so lots of bypasses possible here even if the machine doesn't allow um unsigned certificates but that gives us a few is for detection

as well um first is the attitude so with that non- Revisited version of the bym you need high enough altitude and higher than the edrs mini filter actually because you need to obviously um have the events reach you before the edrs um but there's little to non legitimate use cases of that especially for unsigned driver so that's a big red flag If a minif driver is loaded at a higher altitude than EDR um then we've seen to load un sign drivers you need to disable uh Integrity checks and enable test mode so we can detect those commments here um there's a service creation command as well probably a good point for detection and the comments also to unable test mode

load the service and so on they result in changes in the registry for instance you have what the altitude that is set when you um create a new Mini filter but also for the driver signature verification this is all registry changes that we can detect so um yeah a lot of opportunities for us here finally uh in our Revisited version what could we detect well we just uh saw we need to import our own driver uh in this attack too so all the opportunities for detection that we just saw still apply um minus of course the altitude it's not a factor anymore because with that Revisited version the altitude can be as low as we want since we don't need

uh to go before the EDR mini filter at all actually in the demo the altitude literally was zero so um that that works pretty well and last Point here is this new version shuts down the EDR agent itself all the other attacks that we've seen before they shut down the mini filter portion of the EDR so you could still have other sources of telemetry here you have the EDR AG that's not starting so if you're not preventing um directly any of these events that we've seen where you need to load the mini filter you won't receive any Telemetry anymore so you won't have all these other opportunities for detection after that so just something to be mindful

about and yeah I think that wraps it up any questions

hi thanks good talk um you said that you need to uh disable the signing requirements on Windows um and you had to reboot it after enabling it as a uh to start or to be loaded on the system reboot so it's loaded first um does that mean that to exploit this you're going to have to actually reboot the system twice you need to reboot it once after disabling the signing requirements and then once after configuring it to be loaded yes so if you're um putting the system in test mode you actually need to reboot it twice if you use any of the other options like if you have somehow a stolen certificate that you're able to

use you only need to reboot once um but yeah you're correct

thanks it was great talk I want to know like uh as edia provider has uh something called as um blocking mode where they prevent the processes to be not touched let's say at the moment you are taking uh you're unloading Ed process at that point in time like uh where they don't let you touch open of handle towards the idea process how does it work all of this attack with those kind of EDR protections yeah um so actually this is sort of even different than the sort of handl opening handle process mechanism that you mentioned because here um we're preventing the EDR from starting up in the first place so when you reboot the machine after loading

your mini filter the one of the first things that uh the EDR wants to do is look at the exe at the EDR image and start the service so they can start taking all sorts of action on the system right and prot protecting and for instance putting in place um the the protection that you were just talking about right now but here we're preventing that from happening in the first place by simply deny access to the exe that is needed for the EDR process to spin up in the first place so you won't have an EDR process spin up at all so you don't sort of need to create a handle to it or affect it in any way

because it's just not created in the first place

I don't really thanks for the talk but all the time I'm listening about waiting KR my first question is if you already got if manufacturer already got local system why to bother deploying mini filter they could stop even self-protecting service at once right maybe you could argue and give me some arguments not to just stop sorry actually it's really low volume I wasn't able to hear not loud enough sorry could you repeat the question sure sure thank you if manufacturer already got local system account administrative account why for them brother to deploy any Min filter and not just stop with the same tivity the stop self-protecting service for the EDR I'm really sorry I don't think I

understood I'm sorry sorry maybe we can talk about it right after all

right any other question yeah I see

one so yeah actually potentially they could Implement that same sort of B technique that we've done where um if anything's trying to touch the EDR files we allow it and then we complete the operation so no one else can do anything about it they could do that um to my knowledge they don't and then you could also prevent that from having B the ER the own game there by again registering registering the higher altitude um but that comes also with a set of red flags because that altitude then is uh potentially yeah detected no problem anything else all right I think that's it well thank you very much for coming and yeah any comment feedback I really appreciate

it that was my first time hope I did okay thank you guys