Friday, February 14, 2025
Homecyber securityExploiting Windows MiniFilter to Bypass EDR Protection

Exploiting Windows MiniFilter to Bypass EDR Protection

Published on

SIEM as a Service

Follow Us on Google News

Windows Minifilter drivers are a type of file system filter driver that operates within the Windows operating system to manage and modify I/O operations without direct access to the file system. 

They utilize the Filter Manager, which simplifies their development by providing a consistent interface for handling various file operations.

Researchers at Tier Zero Security recently discovered that Windows MiniFilter can be abused by threat actors to bypass EDR.

Windows MiniFilter Bypass

Windows utilizes MiniFilter drivers to intercept I/O operations, assigning each a unique Altitude value (between 0 and 429900) that determines their load order in the Filter Manager. 

This system can be exploited to prevent Endpoint Detection and Response (EDR) drivers from loading, effectively blinding their telemetry by blocking kernel callbacks. 

An attacker can manipulate the Windows registry to reassign an EDR driver’s Altitude to another MiniFilter that loads earlier, preventing the EDR from registering with the Filter Manager. 

Filter Manager architecture (Source - Tier Zero Security)
Filter Manager architecture (Source – Tier Zero Security)

For example, modifying the Sysmon driver’s Altitude to match Microsoft Defender for Endpoint’s WdFilter (Altitude 328010) can block WdFilter from loading. 

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

While some vendors have implemented mitigations like the defense of Microsoft that terminates the regedit when attempting to modify Sysmon’s Altitude, the other attack vectors remain. 

Using default MiniFilters like “FileInfo” to adopt the EDR’s Altitude can still succeed. 

This technique can disable real-time protection, which allows the execution of malicious tools like “Mimikatz” to be performed without detection. 

Similarly, targeting the MsSecFlt driver (Altitude 385600) is responsible for security policy enforcement and network traffic monitoring that can further compromise the system defenses.

Here the core principle is exploited by this vulnerability, and each MiniFilter’s Altitude must be unique which highlights a critical flaw in the security architecture of Windows. 

The attack method works across various EDR solutions and emphasizes the need for robust protection of MiniFilter Altitude assignments in the Windows OS, reads the Tier Zero Security report.

⁤EDR vendors face challenges with MiniFilter driver loading orders in Windows systems. ⁤

To ensure proper security, some vendors have implemented mitigations like dynamically assigning Altitude values and adjusting the load order of their MiniFilter drivers.

⁤However, attackers can still manipulate the registry values to bypass these security measures.

⁤⁤Key registry values affecting driver load order include:- ⁤

  • ⁤Group (FSFilter Infrastructure) ⁤
  • ⁤Start (BOOT_START) ⁤
  • ⁤Type (SERVICE_KERNEL_DRIVER) ⁤
  • ⁤Tag ⁤

⁤Changing these parameters and altitude makes it possible for attackers to install malicious drivers at an early stage of the loading process, which prevents legitimate security drivers from ⁤ 

For instance, changing a driver’s Group to “FSFilter Infrastructure,” setting Start to 0 (BOOT_START), Type to 1 (SERVICE_KERNEL_DRIVER), and strategically setting the Tag value can significantly alter the loading sequence. 

This vulnerability affects some vendors, including MDE (Microsoft Defender for Endpoint). 

To address this issue effectively, SOC (Security Operations Center) teams should implement comprehensive monitoring of all MiniFilter-related registry changes, not just for Sysmon, and respond promptly to any suspicious modifications across all MiniFilter drivers.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

WinZip Vulnerability Allows Remote Attackers to Execute Arbitrary Code

A newly discovered vulnerability in WinZip, a popular file compression and archiving utility, has...

New Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A newly discovered vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is reportedly...

Burp Suite Professional / Community 2025.2 Released With New Built-in AI Integration

PortSwigger has announced the release of Burp Suite Professional and Community Edition 2025.2, introducing...

Arbitrary File Upload Vulnerability in WordPress Plugin Let Attackers Hack 30,000 Website

A subgroup of the Russian state-sponsored hacking group Seashell Blizzard, also known as Sandworm,...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

WinZip Vulnerability Allows Remote Attackers to Execute Arbitrary Code

A newly discovered vulnerability in WinZip, a popular file compression and archiving utility, has...

New Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A newly discovered vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is reportedly...

Burp Suite Professional / Community 2025.2 Released With New Built-in AI Integration

PortSwigger has announced the release of Burp Suite Professional and Community Edition 2025.2, introducing...