The Windows MiniFilter driver, like the Sysmon driver, can be abused to prevent EDR drivers from loading.
Endpoint Detection and Response (EDR) processes are difficult for adversaries to stop, even with local administrator or system-level access to an endpoint, because they are made to function autonomously and persistently.
Eito Tamura, Principal Consultant, Tier Zero Security, found that a MiniFilter driver, like the Sysmon driver, can be abused to stop EDR drivers from loading while testing the Sysmon driver.
“This effectively blinds telemetry by blocking kernel callbacks. This exploits the load order of MiniFilters and the requirement that each MiniFilter’s Altitude must be unique to its driver”, reads the blog post.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
The Filter Manager Architecture
Eito Tamura claims that it stops the EDR driver from registering with the Filter Manager by allocating the EDR driver’s Altitude to another MiniFilter that loads before the target filter.
Microsoft has put in place a few mitigations. A warning was raised and the regedit process terminated while the researcher tried to change the Sysmon driver’s altitude to match the MDE driver’s (WdFilter) altitude to stop it from loading.
After an alert appeared on the desktop, the Altitude entry was removed. Without manually restoring the Altitude, Sysmon is effectively disabled.
He stated that additional MiniFilter drivers, including default ones already present on the system, such as FileInfo, can be utilized when attempting the same attack to test if a similar defense mechanism would trigger.
Unexpectedly, the change was not blocked, effectively designating the Sysmon driver’s altitude as MDE (328010).
“I was able to bypass this by using different registry types, such as REG_MULTI_SZ. This vulnerability has since been mitigated, and it can no longer be bypassed”, reads the blog post.
Additionally, MiniFilter supports the Altitude they now use, which is XXXXX.YYYYY, which consists of a dot (“.”) followed by five numbers.
Every time it loads, the YYYYY section is dynamically assigned and changes. By doing this, attackers are prevented from giving other MiniFilter drivers the same Altitude.
Additionally, he explained how to change the registry settings for the Sysmon driver so that Sysmon loads sooner and successfully stops WdFilter from loading.
Certain vendors, including MDE, are still impacted by the issue. The mitigations put in place by the mentioned EDR provider might provide a workable fix for this MiniFilter issue.
Hence, SOC teams should keep an eye out for any unusual registry changes pertaining to Altitude across all MiniFilters—not just Sysmon—and take swift action if they find any.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial