Master Of Puppets: How To Tamper The EDR?

[Applause] so good morning besides first of all thank you to the team from b-side munich for the organization and for giving me the chance to speak here today welcome to master of puppets how to temper the idia my name is daniel i'm the founder of the company infosec tyrol with which i mainly focus on offensive security service on windows and i also spend a lot of my time in researching learning and in the area of antivirus products cdr products and the windows internals today we take a look at the mitre subtechnic imper defenses motival or modifying tools and we focus on how can we disable the main functionalities from an edr by targeted control tempering of specific

key components from them but we want to achieve this without relying on an uninstalled password or token uninstall software uninstalling the product generally or by using the windows security center i would like to point out when i speak about edr systems in that presentation i always refer to products which are also in cloud including an antivirus module so an epp edr combination also i would like to point out it's awesome only my personal research my personal experience and the shown strategy or concept applies to multiple products on windows in the first step we try to get a better understanding from the different components from edrs in user space and in kernel space we learn a little bit

about their functionality and important house the relationship between the different components in user space and kernel space in the second step we want to use the gain knowledge to find a way or to find more or less the key element depending on the product to permanently disable the main functionality from an edr and permanently get rid of prevention by the antivirus module and permanently get rid of detections and telemetry footprint host isolation read time response and edr sensor recovery feature by the edr module so we have big plans at the end of the presentation we should more or less able to depending on the product to disable the edr so this presentation is not about zero

days um it's more about learning a little bit about the windows internals and how do edr products work on windows so there can be some situations where it also be possible to do some activities in unprivileged user way but normally you need a privileged user in high integrity or system integrity level but despite um everybody which has fight around with edrs knows that despite you have a privileged user most well-known edr products can still be very annoying and be a problem normally it is not possible to simply uninstall the product because if the blue team has done its homework correctly you have to know the uninstall password to uninstall the product and as mentioned in the intro we want to

achieve this without relying on an uninstalled password so imagine the following scenario you have landed a successful fish and you were also able to escalate your local privileges my case i was able to use the print exploit to escalate to system integrity context and by having a look at the process structure of the compromised machine i saw that there is another interesting user session open so believe it or not in my case it was one from the domain admins and i knew okay could be maybe could be easy to get credentials by dumping delta's process or to impersonate as domain admin by token stealing but the problem was that i created a many alerts in the admin

console from the product the blue team was informed and i got isolated from the machine and that was the starting point more or less from my journey digging deeper into the windows internals and edr products and find a way to disable the main functionality from them so we start with the user space component of a mdr and have a look at edr processes normally edr or the processors from vdr products are executed as process protected light processes this means that even if you have achieved system integrity context it shouldn't be possible to simply terminate the process but in the meantime there are a few ways how we can deal with uh ppl processors from red team site

so uh one possibility can be to use the more or less the concept of a driver with the with another access vulnerability like the mse afterburner rtcore 64 driver so when we have a look at the picture the first step we try to escalate our unprivileged user to a local privileged user in high integrity or system integrity context and by this we should have the privilege to load a driver on windows and the by loading the rt core 64 driver we get also right access to kernel space because of the null access vulnerability and compared to user space in kernel space and windows there is no isolation between the different code sections this means that theoretically we would

have whole access to the whole access from kernel space in this case we will use the one level driver to attach to the e-process structure from the ppl edr process and we temporarily patch the ppl flag and can then use different kind of tools to terminate the not longer protective process so for example ppl killer uses the rtcor 64 driver in his code or maybe cuts brings his own device driver also an interesting way depending on the product it can work if you are able to execute process hacker in a privileged way depending on the product it is possible to directly terminate the ppl process in the system session without removing the ppl flag in the

first step the conclusion of process tampering is that um there are ways to temper the process to terminate the processes but from my observation this termination was always just temporary so if you terminate the process a few seconds later or at least a minute later the process gets restarted and ddr is is back there because of this in the next step we take a look at the user space component and a closer look at edr services so we have to identify the service which is connected to the protected process and the protected service and the protected process more or less builds together the user's base component but similar to protected processes even if you have achieved system integrity on

windows it's not simply possible to pause stop or disable a protected but important in also important in our situation when we have a look at the recovery tab from the protected service we can see that the service is the component which is responsible for restarting the process the ppl process after terminating conclusion on services we learned a little bit about the relationship between protective processes and protected services similar to processors it is not possible also not possible to temporarily disable the service um but maybe we can use a find a way to still disable the service because of this in the next step we take a look at the user-based component and edr registry keys

so you have to identify the edi rec key from the user's base component normally you can find them under control set a current contour set services and there are two interesting entries so launch protected and start entry because time is a little bit short we will focus on the start entry and by the start entry we can have influence on the initialization behavior from the protected service this means if we would be able to change the end the value for the entry for the start entry from the value 2 which is equal to autoload to the value 4 which is equal to disabled it should be possible to disable the protected service and furthermore the user space

component from the edr but the problem similar to processes and services from the edr even in system integrity it is not possible with most products and depending on the product when you try to temper the rec key you will create an alert in the web console that's what this was the problem in my journey and the reason why i was isolated from the compromised machine so the interim status at the moment we are not are really able to permanently disable the edr or the user space component but we learned a little bit about the uh relationship between the different components in user space and we see that the red key could be more or less the key element

by changing the value for the start entry to permanently disable the user space component but at the moment it is not possible because the red key or their keys are protected by a temper protection mechanism by the edr because of this in the fourth step we make our first step into kernel land and have a look at kernel callback routines so since the introduction of kernel patch protection hk patch card it is no longer possible officially possible for er vendors to set their hooks in kernel space so they are forced in users base to use users based api hooking but despite patch guard they can use in kernel space a mechanism which is called callback routines and register different

kind of callbacks to realize different kind of tasks in user space so for example they can use the process notify routine to register and realize telemetry collection in context of process creations also they can use the process notify routine to realize user space dll injection and furthermore realize users based api hooking but more important in our situation now the callbacks routines by edr products can also be used to protect their own registry keys so this is more or less could be the the key element for the register for the temporal protection for rec for the registry keys in this case the product is using the cm register callback function but we will see in our first

pre-recorded demo because i have to blur every sensitive information we see that not just the cm register callback can be used they also use all the callbacks to protect their keys and in the first demo we try to patch the process notify callback temporary key disable the user space component and have a look at the impact

so for first plausible check because at least we want to dump okay

okay that looks better

for first possible check to see that the antivirus component and ddr is completely configured and at least we want to get credentials from the airsoft process we execute the pre-compiled version from mimi cuts which you can find on github so we execute it and we should see that you get prevented by the anti-wireless module and the file gets deleted in the next step we make a short possible check in context of the temporal protection so at the beginning we try to terminate the protective process by executing process explorer and system integrity context but we are not allowed to do this also in case of the protected service even in system integrity we get an access denied

and if we try to tamper the value for the start entry to disable the user space component to the value of four we also get an access tonight and depending on the product now we will have created an alert and you get with a high probability isolated from the machine by the blue team because of this we use a very nice um pc which you can find on github it is called cheeky blinder it's not from my side i called it in this case pari.dxe and uh in the first step we will use that poc to load the driver with the availability the rtcor 64 driver to get access to kernel space so we load the driver the driver is

initialized and in the next step we list all the registered process notify routines on the machine and the blurred one on the lower side is our routine from ddr product in the next step we will use the poc to temporarily patch the callback

and after reopening the registry it should now be possible to change the value for the start entry and to disable the user's base component because temple protection is now not longer active so we change the value to 4 which is equal to disabled and we have to reboot the machine

after the reboot we see at the lower right side that now the edr product is no longer registered in the windows security center and also by having a look at the structure from process explorer we now see not longer blood sections because and there are no longer processes by the user space component also if we check the status from the user space component we will see that the service is now stopped so it looks very nice maybe we have until now reached all of our goals but this is not the case because after the reboot we have a few problems we again list the registered callbacks on the machine and we will see that all the previously

patched callbacks are re-registered again this means in case of prevention and detection based on kernel callback routines and furthermore windows uses user-based api hooking we again have the problem of prevention detection and especially telemetry footprinting so again when we execute mimi cuts we can again prevent it and despite the user space component is disabled we still have the problem that the blue team can use the isolate function to isolate our compromised machine so in a few seconds we will see that we lose connection to our compromised target

so what's the conclusion from the first demo we saw that we can more or less use a concept of the buildable device driver to get access to kernel space um remove or patch the respective callback temper direct key change the value for the start enter to four and by restarting the machine we can permanently disable the user space component but we also saw that only disabling the user space component do not really have strong impact in reaching our previously defined goals and no matter after if you have rebooted the machine and you would again patch all the callbacks from the edr you would still have the pos the problem that host isolation uh the recovery feature

and um the last one yeah the features which bluetooth can be used in the web console is still active so the biggest problem is that despite the user space component is system easily disabled and you patch all the callbacks you still have the problem with the host isolation even if you would not do a reboot and you were you just want to temporary patch the callback you still have the problem that um also your your host can still get isolated by the blue team so not really if uh efficient from uh this point um and we have to take our last step in the final step we take a look at the edr mini filter driver

and the mini filter driver is the component which is responsible for in general registering callbacks from the edr and that is always also the problem why even if the user space component is disabled the mini filter driver is a separate component is still active and but is after the reboot the callbacks get re-registered again but the good thing is that the minifilter has its own registry key and has a similar structure to the user space component this means that depending on the product the mini filter driver can be more or less the key element to permanently disable the main functionalities and get rid of prevention host isolation return response and edr recovery feature to check this out we will have a look at

our second demo where we try to tamper the mini filter driver and permanently get rid of prevention detection telemetry collection and so on

so we start at the point where we have stop remember we get isolated from the machine so we will lift the containment and get back connection to our compromised target and very important now we want to re-enable the user space component in the first step and only disable the minifilter driver and to and because we want to check what is the impact if we only disable the mini filter we patched uh re list the callbacks again we see that the process notify routine is still there we query the user space component service which is currently stopped and we check the status from the mini filter from media and we see that the minifilter is still

running so we open the registry and re-enable the user-based component by changing the value from the start entry back from uh from four to the value two

but we're not allowed why remember we have did we did a reboot so we have to to patch the callback one time again and reopen the registry

so we patch it again the process notify routine reopen the registry we now re-enable in the first step the user space component set the value back to the value 2 and then we go to the minifill direct key and change the value to 4 which is equal to disabled reboot the machine and after the reboot we see that now the adr is still not um registered in the windows security center but then when we have now um look at the process explorer we see again blood sections reasonable this is i have to blur it because um there again uses base component processes active quality starts from the user space service we see that the service is now

again running but the mini filter driver is now stopped and at least we check the impact by disabling the minifilter we see that no longer callbacks are registered we try to isolate the machine again it looks like the temple protection is not long active so we can change the value however we want without creating a detection or creating a footprint based on telemetry and finally we can execute mimi cuts and the credentials very relaxed i would say isolation is still not happening so it looks like that isolating the machine is no longer working

okay so what's the conclusion from the second demo we saw that compared to uh disabling the user space component uh depending also on the product this mini filter has a much stronger impact in case of reaching our goals and to permanently disable main functionalities from the edr and permanently get rid of prevention by the antivirus module detection footprinting host isolation and so on um at the end of the presentation i would like to point out that in my opinion this is not really based on availability more it's based on the concept from the windows architecture and i think every vendor excluding microsoft has to play on the same rules on windows so many thanks for your attention

[Applause] cool thank you very much um we have some time for questions any questions yeah please just line up at the mic and whoever is faster testing testing seems to be working uh your almost last sentence was every vendor except microsoft has to play by the same rules yeah could you go through the accept microsoft thing yeah i think the the difference is compared to third-party vendors that microsoft is i think not really only forced to go in user space so because since the production of patchguard officially it's not allowed also if even uh or maybe if you use a patch card bypass then you can also go in kernel space but i think that um from my experiences

uh microsoft has a very deep or deeper visibility um it sits uh it adds more visibility into kernel space uh compared to other vendors so uh followup have you looked into uh cutting them off or their adr products do you need additional kernel space disability disabling capabilities or um no at the moment i i have only while researching the area of mini filters also i also write a blog post about elon drivers so i had a look on different components but not on etvs when you mean this one etw uh will be the topic for my next uh project looking forward to it thank you thank you so how do you think they would go about

to fix this do you think there's any probability within the kernel space or from the isolation perspective and do you think windows 11 could fix this is there anything on the way with tpm 2.0 to fix this and what do you think how hard would it be to for somebody interested in pen testing to learn this do you think there you could make a lap about this or anybody learn this or is it just too oversimplified here no you can definitely learn it i also use it by myself um for sure you have to be very sensitive because when you do a failure in the kernel space you will create a blue screen of death

but if you know the product very well you can use it depending on the machine so maybe when you are acting a very sensitive machine it is not maybe good when you do this what you can do about um i could observe that well-known products are blacklisting uh begin to blacklist the drivers which have vulnerabilities this one way but it is possible to use different pocs to maybe flip some bytes and get bypassed by that by that detections um another possibility would be there is a software vendor on the market i will not say the name but they focus on a mechanism to get which is based on the web fiber waffle variable and the products have the possibility to

include this code into their code and by they will realize when there is something changed or tampered they can re-enable it or repair it in on the machine and do you think um windows 11 will fix something about that or with tpm is there any way vendor could facilitate it to protect in any kind it's a good question so at the moment i have another deeper look at windows 11 but i think generally with the drivers you only can use drivers which are released for july 2015 afterwards it is more um it's harder but there are still drivers which you can be can be used um on windows 11 i can't say too much because i have too less experience at

the moment thank you thank you wonderful any more questions

okay cool thank you very much very interesting thank you