Exploiting Windows MiniFilter to Bypass EDR Protection

Windows Minifilter drivers are a type of file system filter driver that operates within the Windows operating system to manage and modify I/O operations without direct access to the file system. 

They utilize the Filter Manager, which simplifies their development by providing a consistent interface for handling various file operations.

Researchers at Tier Zero Security recently discovered that Windows MiniFilter can be abused by threat actors to bypass EDR.

Windows MiniFilter Bypass

Windows utilizes MiniFilter drivers to intercept I/O operations, assigning each a unique Altitude value (between 0 and 429900) that determines their load order in the Filter Manager. 

This system can be exploited to prevent Endpoint Detection and Response (EDR) drivers from loading, effectively blinding their telemetry by blocking kernel callbacks. 

An attacker can manipulate the Windows registry to reassign an EDR driver’s Altitude to another MiniFilter that loads earlier, preventing the EDR from registering with the Filter Manager. 

For example, modifying the Sysmon driver’s Altitude to match Microsoft Defender for Endpoint’s WdFilter (Altitude 328010) can block WdFilter from loading. 

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

While some vendors have implemented mitigations like the defense of Microsoft that terminates the regedit when attempting to modify Sysmon’s Altitude, the other attack vectors remain. 

Using default MiniFilters like “FileInfo” to adopt the EDR’s Altitude can still succeed. 

This technique can disable real-time protection, which allows the execution of malicious tools like “Mimikatz” to be performed without detection. 

Similarly, targeting the MsSecFlt driver (Altitude 385600) is responsible for security policy enforcement and network traffic monitoring that can further compromise the system defenses.

Here the core principle is exploited by this vulnerability, and each MiniFilter’s Altitude must be unique which highlights a critical flaw in the security architecture of Windows. 

The attack method works across various EDR solutions and emphasizes the need for robust protection of MiniFilter Altitude assignments in the Windows OS, reads the Tier Zero Security report.

⁤EDR vendors face challenges with MiniFilter driver loading orders in Windows systems. ⁤

To ensure proper security, some vendors have implemented mitigations like dynamically assigning Altitude values and adjusting the load order of their MiniFilter drivers.

⁤However, attackers can still manipulate the registry values to bypass these security measures.

⁤⁤Key registry values affecting driver load order include:- ⁤

• ⁤Group (FSFilter Infrastructure) ⁤
• ⁤Start (BOOT_START) ⁤
• ⁤Type (SERVICE_KERNEL_DRIVER) ⁤
• ⁤Tag ⁤

⁤Changing these parameters and altitude makes it possible for attackers to install malicious drivers at an early stage of the loading process, which prevents legitimate security drivers from ⁤ 

For instance, changing a driver’s Group to “FSFilter Infrastructure,” setting Start to 0 (BOOT_START), Type to 1 (SERVICE_KERNEL_DRIVER), and strategically setting the Tag value can significantly alter the loading sequence. 

This vulnerability affects some vendors, including MDE (Microsoft Defender for Endpoint). 

To address this issue effectively, SOC (Security Operations Center) teams should implement comprehensive monitoring of all MiniFilter-related registry changes, not just for Sysmon, and respond promptly to any suspicious modifications across all MiniFilter drivers.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial