Hackers Could Bypassing EDR Using Windows Symbolic Links to Disable Service Executables

A groundbreaking technique for exploiting Windows systems has emerged, combining the “Bring Your Own Vulnerable Driver” (BYOVD) approach with the manipulation of symbolic links.

Security researchers have uncovered how this method can bypass Endpoint Detection and Response (EDR) mechanisms and expand the scope of drivers susceptible to exploitation.

The proof of concept (PoC) for this method demonstrates its applicability in disabling Windows Defender a critical security feature in Windows 11.

BYOVD refers to a technique wherein attackers leverage legitimate but vulnerable drivers to gain unauthorized kernel-level access.

This approach has been used by multiple threat actors in notable cyberattacks, including ransomware campaigns by BlackByte and Kasseika groups.

Typically, BYOVD relies on targeting drivers with known vulnerabilities listed in Microsoft’s blocklist.

However, this dependency restricts attackers to outdated or unlisted drivers, limiting their arsenal as blocklists are updated.

The innovation presented in this method mitigates these restrictions by utilizing symbolic links and the file-writing capabilities of legitimate drivers.

Attackers no longer need to find obscure, vulnerable drivers. Instead, they focus on drivers with inherent file-writing functionalities, such as those used for logging or tracing.

Leveraging Symbolic Links for Kernel-Level Exploits

The new approach exploits the operational flow of EDR systems, which often include kernel-level components (Minifilters) for intercepting file system operations.

These Minifilters pass collected data to user-mode services for processing.

The two common methods for disabling EDR, unloading Minifilters or terminating user-mode services, require deep kernel exploitation. However, the new technique enhances this by targeting the executable file of the EDR service before it launches.

This involves the following steps:

1. Identify drivers with file-writing capabilities that invoke the ZwWriteFile API.
2. Reverse engineer these drivers to locate the targeted file paths.
3. Register these drivers in the system to ensure they execute before the EDR user-mode service.
4. Create symbolic links that redirect the driver’s output to overwrite critical EDR files, such as the executable.
5. Reboot the system to allow the symbolic link to trigger file overwriting.

Symbolic links act as advanced shortcuts that redirect operations to alternate file paths. In this case, they are used maliciously to overwrite the executable file of the EDR service, rendering it inoperable.

To demonstrate the effectiveness of this method, the PoC utilized Windows 11 (Version 24H2) with Process Monitor’s driver (PROCMON24).

This driver, loaded during the boot sequence, was configured to overwrite the Antimalware Service Executable (MsMpEng.exe) a key file for Windows Defender.

By manipulating the system’s registry to prioritize the Process Monitor driver during boot, attackers ensured that file overwriting occurred before Windows Defender could initialize.

After rebooting the system with a maliciously created symbolic link, the targeted Windows Defender file was successfully overwritten, disabling the service.

Post-exploitation checks confirmed that the service’s file had lost its signature, making it unusable.

This exploitation method significantly elevates the risks associated with BYOVD. By targeting any driver with file-writing capabilities and coupling it with symbolic link abuse, the attack surface for kernel-level exploits has widened.

According to the Zero Salarium, the reliance on symbolic links also reduces attackers’ dependency on outdated or obscure vulnerable drivers.

As this technique evolves, it underscores the need for continuous advancements in driver security and proactive threat detection.

The attack demonstrates how threat actors innovate to blind EDR systems and evade detection, creating a new challenge for security professionals.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free