Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors

Presented at Black Hat Europe 2021, Nov. 10, 2021, 1:30 p.m. (40 minutes)

Event Tracing for Windows (ETW) is a built-in feature, originally designed to perform software diagnostics, and nowadays ETW is essential for Endpoint Detection & Response (EDR) solutions. <br><br>ETW is deeply integrated into the Windows kernel and involved in many API calls to trace OS events. ETW functions are used by numerous EDRs, business and academic projects to respond to security threats. <br><br>The bad news for defenses is that ETW is vulnerable: malware countermeasures can disable ETW making the whole class of EDRs totally useless. <br><br>We will give an analysis of the existing attacks on ETW, uncover some ETW internals: data structures and reversing kernel API routines to demonstrate two new attacks on ETW. These attacks blind ETW-based EDRs, without triggering any OS security features, such as KPP. A newly released tool Binarly Sensor can detect both attacks, while an updated MemoryRanger can prevent only the second one. <br><br>The first attack is focused on NT Kernel Logger Session. Process Monitor collects network events by using this logger. To blind Process Monitor, we will use an app to illegally stop a running NT Kernel Logger Session. Circular Kernel Context Logger and other logger sessions can be attacked similarly. <br><br>The second attack is focused on ETW Logger sessions used by Windows Defender. The attack is based on patching ETW data structures. We will demonstrate a kernel driver to query information and stop ETW Logger sessions, which results in disabling defense mechanisms.<br><br>A new protection tool, called Binarly Sensor, can reveal both attacks. It uses a kernel driver to extract information about critical OS data and code. It can disclose various attacks on the Windows kernel.<br><br>These attacks impact all versions of Windows from Vista to 11, which is crucial for the design of the core features of ETW.<br>

Presenters:

  • Andrey Golchikov - Research Fellow, Binarly
    Andrey Golchikov is a guru of Windows Internals and Windows Security Research. He has been in operating system security for over 20 years. He developed Yandex Web Antivirus for 11 years. Andrey has produced a huge amount of cutting-edge research and shared it in his blog - http://redplait.blogspot.com.
  • Igor Korkin - Security Researcher, Binarly
    Igor Korkin, PhD is a security researcher from Moscow, Russia. He has been in cybersecurity for about 10 years working on various areas related to Windows OS kernel security and hypervisor-based protection. He enjoys applying both academic knowledge and practical expertise to make computer systems secure and reliable. In his thesis, he carried out cross-disciplinary research to detect hidden hardware-based hypervisors. He is keen on responding to real-world challenges. His research results were presented at SADFE, IEEE SP 2021 (USA), HITB 2020 (Singapore), Black Hat 2018 (Europe), REcon 2016 (Canada), six ADFSL conferences 2014-2019 (USA), and RusCrypto 2011 (Russia).
  • Claudiu Teodorescu - Chief Technology Officer, Binarly
    Claudiu Teodorescu is a Researcher at Binarly with an extensive background in Computer Forensics, Cryptography, Reverse Engineering, and Program Analysis. While at Cylance, he focused on program analysis to augment the ML model feature space with code-specific artifacts. Prior to Cylance, Claudiu worked for FireEye, in the FLARE (FireEye Labs Advanced Reverse Engineering) team as a Sr. Reverse Engineer, leading research projects such as WMI and Application Compatibility based malware persistence, Windows 10 RAM page compression, and also serving as an instructor of FLARE's Advanced Malware Analysis course (BlackHat USA 2015, 2016). Prior to FireEye, he worked for Guidance Software as Principal Developer/Manager writing forensic parsers for different file formats, mail containers, and integrations with different disk/volume/file-based encryption products to support the EnCase tool. Claudiu is the author of the WMI-parser tool to help IR teams forensically identify malware persistence.

Links:

Similar Presentations: