Friday, January 31, 2025
Homecyber securityHackers Could Bypassing EDR Using Windows Symbolic Links to Disable Service Executables

Hackers Could Bypassing EDR Using Windows Symbolic Links to Disable Service Executables

Published on

SIEM as a Service

Follow Us on Google News

A groundbreaking technique for exploiting Windows systems has emerged, combining the “Bring Your Own Vulnerable Driver” (BYOVD) approach with the manipulation of symbolic links.

Security researchers have uncovered how this method can bypass Endpoint Detection and Response (EDR) mechanisms and expand the scope of drivers susceptible to exploitation.

The proof of concept (PoC) for this method demonstrates its applicability in disabling Windows Defender a critical security feature in Windows 11.

BYOVD refers to a technique wherein attackers leverage legitimate but vulnerable drivers to gain unauthorized kernel-level access.

This approach has been used by multiple threat actors in notable cyberattacks, including ransomware campaigns by BlackByte and Kasseika groups.

Typically, BYOVD relies on targeting drivers with known vulnerabilities listed in Microsoft’s blocklist.

However, this dependency restricts attackers to outdated or unlisted drivers, limiting their arsenal as blocklists are updated.

The innovation presented in this method mitigates these restrictions by utilizing symbolic links and the file-writing capabilities of legitimate drivers.

Attackers no longer need to find obscure, vulnerable drivers. Instead, they focus on drivers with inherent file-writing functionalities, such as those used for logging or tracing.

Leveraging Symbolic Links for Kernel-Level Exploits

The new approach exploits the operational flow of EDR systems, which often include kernel-level components (Minifilters) for intercepting file system operations.

These Minifilters pass collected data to user-mode services for processing.

The two common methods for disabling EDR, unloading Minifilters or terminating user-mode services, require deep kernel exploitation. However, the new technique enhances this by targeting the executable file of the EDR service before it launches.

This involves the following steps:

  1. Identify drivers with file-writing capabilities that invoke the ZwWriteFile API.
  2. Reverse engineer these drivers to locate the targeted file paths.
  3. Register these drivers in the system to ensure they execute before the EDR user-mode service.
  4. Create symbolic links that redirect the driver’s output to overwrite critical EDR files, such as the executable.
  5. Reboot the system to allow the symbolic link to trigger file overwriting.

Symbolic links act as advanced shortcuts that redirect operations to alternate file paths. In this case, they are used maliciously to overwrite the executable file of the EDR service, rendering it inoperable.

To demonstrate the effectiveness of this method, the PoC utilized Windows 11 (Version 24H2) with Process Monitor’s driver (PROCMON24).

This driver, loaded during the boot sequence, was configured to overwrite the Antimalware Service Executable (MsMpEng.exe) a key file for Windows Defender.

By manipulating the system’s registry to prioritize the Process Monitor driver during boot, attackers ensured that file overwriting occurred before Windows Defender could initialize.

After rebooting the system with a maliciously created symbolic link, the targeted Windows Defender file was successfully overwritten, disabling the service.

Post-exploitation checks confirmed that the service’s file had lost its signature, making it unusable.

This exploitation method significantly elevates the risks associated with BYOVD. By targeting any driver with file-writing capabilities and coupling it with symbolic link abuse, the attack surface for kernel-level exploits has widened.

According to the Zero Salarium, the reliance on symbolic links also reduces attackers’ dependency on outdated or obscure vulnerable drivers.

As this technique evolves, it underscores the need for continuous advancements in driver security and proactive threat detection.

The attack demonstrates how threat actors innovate to blind EDR systems and evade detection, creating a new challenge for security professionals.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

New ‘SHIELD’ Platform Leverages FPGA and Off-Host Monitoring to Tackle Advanced Ransomware Threats

In a significant advancement against increasingly sophisticated ransomware threats, researchers from NYU Tandon School...

Researchers Launch Open-Source UEFI Memory Forensics Framework to Counter Advanced Bootkits

A team of researchers from Ben Gurion University of the Negev has pioneered a...

Google Blocks 2.28 Million Malicious Apps from Play Store in Security Crackdown

In a continued commitment to enhancing user safety and trust, Google has outlined significant...

Cybercriminals Exploit GitHub Infrastructure to Distribute Lumma Stealer

In a recent investigation, Trend Micro's Managed XDR team identified a sophisticated malware campaign...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

New ‘SHIELD’ Platform Leverages FPGA and Off-Host Monitoring to Tackle Advanced Ransomware Threats

In a significant advancement against increasingly sophisticated ransomware threats, researchers from NYU Tandon School...

Researchers Launch Open-Source UEFI Memory Forensics Framework to Counter Advanced Bootkits

A team of researchers from Ben Gurion University of the Negev has pioneered a...

Google Blocks 2.28 Million Malicious Apps from Play Store in Security Crackdown

In a continued commitment to enhancing user safety and trust, Google has outlined significant...