Recon 2022

Living Off the Walled Garden: Abusing the Features of the Early Launch Antimalware Ecosystem
06-04, 14:00–15:00 (US/Eastern), Grand Salon

Early Launch Antimalware (ELAM) functionality in Windows offers robust anti-tampering mitigations whereby security vendors declare a Microsoft-approved list of explicitly allowed signers to run as protected (PPL) services. Microsoft makes clear that these mitigations are best-effort attempts to mitigate against security product tampering by labeling ELAM and PPL "defense-in-depth security features." This talk aims to make clear why these mitigations are "best-effort" and ultimately indefensible.

This talk will cover a methodology for assessing ELAM drivers and demonstrate scenarios where overly-permissive rules open up adversary tradecraft opportunities, not through exploiting vulnerabilities but through the abuse of intended functionality. A single, overly-permissive ELAM driver enables an adversary to not only tamper with security products but it also supplies malware with anti-tampering protections, hampering detection and remediation efforts. The talk will conclude with a demo of gaining user-mode code execution through an abusable, signed executable running with an antimalware-light protection level.

See also:

Matt is a threat researcher who loves to apply his reverse engineering skills to understand attack techniques at a deeper level in order to more confidently contextualize them, understand relevant detection optics, and to understand the workflow attackers use to evade security controls. He is committed to making security research both accessible and actionable to defenders.