It Comes From Inside the House: Overthrowing Windows Deep Security
I’m imagining a scene from a heist movie. The bank boasts of its new ultimate security force inside locks, walls and lasers. And the heist team is looking for ways to overthrow this system. Can we slip one of our men into the defense force? Using bribes or threats to compromise a guard? Maybe just find a guard who’s sloppy?
Although much more technical, finding a technique to subvert the Early Launch Antimalware (ELAM) system in Windows, as described by Red Canary’s principal threat researcher, Matt Graeber, in his Black Hat briefing, is similar to this. script.
Graeber explained that an ELAM driver is tamper-proof and runs so early in the boot process that it can evaluate other drivers on boot, with the potential to block malicious ones. “To build this driver, you don’t need to implement any early release code,” Graeber explained. “The only thing you need is a binary resource with rules indicating which signers are allowed to run as Antimalware Light services. And you must be a member of the rather exclusive Microsoft Virus Initiative(Opens in a new window) program.”
“I had to investigate how the rules are implemented,” Graeber said. He then described how he analyzed Microsoft Defender‘s WdBoot.sys to determine the expected structure of these rules. Indeed, each rule stipulates that any program signed with a specific digital certificate is allowed to run as the Antimalware Light service, which gives it serious protections.
It is not possible to swap out an unapproved driver, as each must be approved by Microsoft. And anti-tampering constraints mean it’s also impossible to subvert an existing driver. “ELAM is an allowlist for Antimalware Light services,” Graber said. “And if it was too permissive? Is there an ELAM driver that may be too permissive? »
A grueling search
Graeber relied on many resources in his search for a lax driver, one of which was VirusTotal Intelligence. You may be familiar with VirusTotal’s Free Malware Check(Opens in a new window), which allows you to submit a file or hash and have it checked by around 70 antivirus engines. VirusTotal Intelligence(Opens in a new window) provides much wider access to detailed information about just about every file and program in existence.
“Searching for ELAM drivers I got 886 results from VirusTotal,” Graeber said. “I filtered the list to validate the results and brought it to 766. I identified many vendors with ELAM drivers, some of them strange.” Here, Graeber showed a list that included an empty vendor name and several that seemed incomplete. “If some providers are weird, maybe there is a set of rules that is weird.”
Ultimately, he discovered five certificates from four security companies which, as he hoped, provided a means to subvert ELAM. Without going into the details of the certificate chains, he determined that any program with one of them in its certificate chain could run in Antimalware Light protected mode. All he had to do was cross-reference a list of these programs with VirusTotal’s malware list to get a gallery of nasty malware that might be running protected.
How to militarize this weakness?
At this point, the conversation came out of the technical deep end. Graeber described the search for the LOLbins(Opens in a new window) for an abusive executable, provide an appropriate version of Microsoft Build(Opens in a new window), and overcome various obstacles to allow it to execute arbitrary code. I’m sure the brilliant programmers in the audience nodded in admiration.
After a live demonstration, Graeber noted the possibility of various payloads. “Your own malware is protected, and you can kill other protected processes,” he said. “We effectively killed the Microsoft Defender engine in the demo.” The code is public, although Graeber mentioned that “I had to change some filenames to protect innocent sellers.”
Recommended by our editors
How to detect and mitigate this attack?
“This is an abuse of ELAM functionality, not a vulnerability,” Graeber said. “I can’t begin to speculate why any of these certificates would be allowed. Shame on Microsoft! Hopefully a robust solution in the future. Sellers, I am not putting any of you here to shame. I don’t even blame the vendors for overly permissive drivers, since Microsoft allowed them. I encourage any vendor to audit your signed ELAM driver rule sets. You wouldn’t want to be the one who ruined the whole ecosystem.
Graeber holds out hope for a fix. “I reported this to Microsoft in December 2021,” he said. “They recognized the issue, and the Defender team really understood it. They took it very seriously and sent a notification to Microsoft Virus Initiative members. If you’re a member, you already know this.
He concluded by offering resources for other researchers to replicate his work. It may look like it is putting weapons in the hands of malware coders, but never fear. Graeber provided the frame for further investigation, but anyone trying to use it will have to duplicate their search for a permissive driver and an abusive payload.
Still, the picture of malware taking over the secure bunker provided by ELAM and killing defense programs is alarming. Hopefully the security community, Microsoft in particular, comes up with a defense soon.
Do you like what you read ?
Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.