Early Launch Antimalware (ELAM) functionality in Windows offers robust anti-tampering mitigations whereby security vendors declare a Microsoft-approved list of explicitly allowed signers to run as protected (PPL) services. Microsoft makes clear that these mitigations are best-effort attempts to mitigate against security product tampering by labeling ELAM and PPL "defense-in-depth security features." This talk aims to make clear why these mitigations are "best-effort" and ultimately indefensible.
This talk will cover a methodology for assessing ELAM drivers and demonstrate scenarios where overly-permissive rules open up adversary tradecraft opportunities, not through exploiting vulnerabilities but through the abuse of intended functionality. A single, overly-permissive ELAM driver enables an adversary to not only tamper with security products but it also supplies malware with anti-tampering protections, hampering detection and remediation efforts. The talk will conclude with a demo of gaining user-mode code execution through an abusable, signed executable running with an antimalware-light protection level.