Texas Cyber Summit 2022: Windows built-in Sandbox Disables Microsoft Defender and other EDR/AV

"Windows built-in Sandbox Disables Microsoft Defender and other EDR/AV: Attack Detection and Prevention via MemoryRanger"


• Kernel attacks are still serious for Windows OS security. It is crucial to analyze the popular techniques that result in loading kernel drivers, including the kernel-based attacks in 2021-2022.
• One of the main targets of modern threats is disabling and blinding EDR solution, and the key target is Microsoft Defender, a default Windows AV. We present the analysis of recent attacks on Microsoft Defender via kernel-mode and user-mode vectors.
• We have discovered the kernel-mode attack that sandboxes Microsoft Defender from file system and apps memory, without terminating any of Microsoft Defender's processes. The attack abuses Mandatory Integrity Control (MIC) and Security Reference Monitor (SRM) by modifying Integrity Level and Debug Privileges for the Microsoft Defender process. A similar user-mode attack can be blocked via the Windows “trust labels” mechanism, though this mechanism does not stop the newly presented kernel-mode attack that allows to disable Microsoft Defender without triggering any security features, such as PatchGuard via BSOD.
• The presented kernel-mode attack successfully disabled popular EDR/AV solutions as well.
• To block this attack and protect Microsoft Defender, we customized the hypervisor-based solution named MemoryRanger. Our experiments prove that MemoryRanger successfully blocks illegal access to the kernel data.
• For the devices that do not support hardware virtualization, we designed a user-mode solution that can detect disabling Microsoft Defender via the sandbox-based attack. The watchdog-based tool uses documented WinAPI functions, and it is compatible with all modern Windows OSes.

Скачать видео