2024-12-14 –, Track 3
This presentation explores the advanced use of minifilters in offensive security operations, focusing on their application in bypassing and disabling EDRs. We will delve into the architecture of EDR systems and common offensive uses of mini filters, such as bypassing file system monitoring.
We will then introduce a novel technique to entirely disable EDRs via the abuse of minifilters.
The talk will also cover the implications for defensive security and potential countermeasures, aiming to provide valuable insights for both offensive and defensive security professionals.
1. Introduction
This presentation will explore the use of minifilters, an essential components of EDRs, in offensive security operations, with a focus on their application in bypassing and disabling EDR systems.
2. EDR Architecture Overview
We will first provide a high level description of EDR systems, their components and architecture. This is essential to understand how minifilters contribute to EDR systems and the capabilities they provide. It sets the stage to understand how such capabilities could be abused.
3. Common Minifilters Abuse Techniques
We then rapidly go through common known techniques involving minifilters used during offensive security operations, especially around file system monitoring bypass to hide suspicious file activity.
4. A New Minifilter Abuse Technique to Disable EDRs
In this section, we present a novel technique which allows to entirely disable EDR agents and prevent them from running on endpoints. This technique relies on the registration of a PreOperation callback to prevent EDR agents from accessing critical resources, effectively crippling them.
We dive into the Kernel concepts involved and provide a step-by-step breakdown of the whole process.
We compare this new technique to other minifilter abuse techniques in terms of effectiveness in hiding malicious activities and IoCs.
5. Detecting Minifilter Abuse
In this final section, we explore the defensive side of things:
- Potential countermeasures and their limitations
- Potential strategies for detecting and mitigating minifilter-based attacks
6. Conclusion and Q&A
Finally, we will summarise the key takeaways and open the floor for questions and discussion.
Tom is a cybersecurity enthusiast who spends his days hacking things and his nights learning from other hackers. When he's not lost in his debugger trying to understand why his Hello World program crashes, he's leading the charge in offensive security at Responsible Cyber.
Tom's passion for all things cyber has led him down some interesting paths, including playing around with LLMs, spending way too much on cloud resources, or more recently diving deep into kernel-level operations for fun.