Security researchers have developed two new attack vectors that can be used to render cybersecurity products useless. These methods, which were presented at a cybersecurity conference, rely on a logging mechanism known as Event Tracing for Windows (ETW), which has been included with the Windows OS by default since Windows XP.
Research Findings
Binarly researchers have revealed two ETW bypass techniques that have been demonstrated to work against Windows Defender and Process Monitor.
In the Process Monitor example, the researchers demonstrated that a malicious app with admin privileges on a targeted system was able to halt the ETW session linked to Process Monitor and construct a fake session.
As a result, the app no longer receives network activity telemetry, as the attacker has effectively blinded it. Furthermore, even after restarting Process Monitor, the issue does not gets fixed.
The researchers explained that in the case of Windows Defender, it might be blinded by specifying registry settings relating to ETW sessions to zero.
This was accomplished by the malicious kernel driver modifying kernel memory fields in kernel structures linked to ETW sessions of Windows Defender.
Several threat actors have been observed exploiting ETW to target their victims in the past, including APT41, LockerGoga, and Slingshot APT, though not in the way demonstrated by the researchers.
Additional Info
The approaches are very practical and secure ETW sessions can be tampered with by altering several fields in a kernel structure, according to researchers.
Binarly has created open-source tools for identifying and stopping ETW attacks. Furthermore, these tools will be available in a short span of time.
The researchers demonstrated their attacks on the Process Monitor and Windows Defender. They argue, however, that these types of attacks may be used to deactivate a entire range of security solutions.
Currently, no cybercriminals have exploited or discovered these attack methods in the wild. Furthermore, since the purpose of these attacks is to render EDR products blind, the exploitation would be extremely difficult to detect. As a result, the security community should be vigilant against such attacks and employ proactive defence strategies.