Tuesday, November 12, 2024
Homecyber securityExploiting Windows MiniFilter to Bypass EDR Protection

Exploiting Windows MiniFilter to Bypass EDR Protection

Published on

Malware protection

Windows Minifilter drivers are a type of file system filter driver that operates within the Windows operating system to manage and modify I/O operations without direct access to the file system. 

They utilize the Filter Manager, which simplifies their development by providing a consistent interface for handling various file operations.

Researchers at Tier Zero Security recently discovered that Windows MiniFilter can be abused by threat actors to bypass EDR.

- Advertisement - SIEM as a Service

Windows MiniFilter Bypass

Windows utilizes MiniFilter drivers to intercept I/O operations, assigning each a unique Altitude value (between 0 and 429900) that determines their load order in the Filter Manager. 

This system can be exploited to prevent Endpoint Detection and Response (EDR) drivers from loading, effectively blinding their telemetry by blocking kernel callbacks. 

An attacker can manipulate the Windows registry to reassign an EDR driver’s Altitude to another MiniFilter that loads earlier, preventing the EDR from registering with the Filter Manager. 

Filter Manager architecture (Source - Tier Zero Security)
Filter Manager architecture (Source – Tier Zero Security)

For example, modifying the Sysmon driver’s Altitude to match Microsoft Defender for Endpoint’s WdFilter (Altitude 328010) can block WdFilter from loading. 

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

While some vendors have implemented mitigations like the defense of Microsoft that terminates the regedit when attempting to modify Sysmon’s Altitude, the other attack vectors remain. 

Using default MiniFilters like “FileInfo” to adopt the EDR’s Altitude can still succeed. 

This technique can disable real-time protection, which allows the execution of malicious tools like “Mimikatz” to be performed without detection. 

Similarly, targeting the MsSecFlt driver (Altitude 385600) is responsible for security policy enforcement and network traffic monitoring that can further compromise the system defenses.

Here the core principle is exploited by this vulnerability, and each MiniFilter’s Altitude must be unique which highlights a critical flaw in the security architecture of Windows. 

The attack method works across various EDR solutions and emphasizes the need for robust protection of MiniFilter Altitude assignments in the Windows OS, reads the Tier Zero Security report.

⁤EDR vendors face challenges with MiniFilter driver loading orders in Windows systems. ⁤

To ensure proper security, some vendors have implemented mitigations like dynamically assigning Altitude values and adjusting the load order of their MiniFilter drivers.

⁤However, attackers can still manipulate the registry values to bypass these security measures.

⁤⁤Key registry values affecting driver load order include:- ⁤

  • ⁤Group (FSFilter Infrastructure) ⁤
  • ⁤Start (BOOT_START) ⁤
  • ⁤Type (SERVICE_KERNEL_DRIVER) ⁤
  • ⁤Tag ⁤

⁤Changing these parameters and altitude makes it possible for attackers to install malicious drivers at an early stage of the loading process, which prevents legitimate security drivers from ⁤ 

For instance, changing a driver’s Group to “FSFilter Infrastructure,” setting Start to 0 (BOOT_START), Type to 1 (SERVICE_KERNEL_DRIVER), and strategically setting the Tag value can significantly alter the loading sequence. 

This vulnerability affects some vendors, including MDE (Microsoft Defender for Endpoint). 

To address this issue effectively, SOC (Security Operations Center) teams should implement comprehensive monitoring of all MiniFilter-related registry changes, not just for Sysmon, and respond promptly to any suspicious modifications across all MiniFilter drivers.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...