Disable advanced EDR solutions by abusing Microsoft signed kernel driver

In our daily research we discovered an awesome project on Github that focused on killing protected processes, especially modern anti malware solutions.

https://github.com/Yaxser/Backstab | Yasser Alhazmi (@Yas_o_h)

We tested the tool successfully against the latest and fully updated Cortex XDR Agent which uses the “cyserver.exe” as main process. Terminating a process with protection level “PsProtectedSignerAntimalware” is not a trivial task even with administrative or system integrity level access.

As mentioned in the help menu, the tool is able to kill the protected process using the “-n cyserver.exe -k” command-line switches

How it works

The tool uses a kernel driver shipped with the Sysinternals Process Explorer (https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer) that is digitally signed by Microsoft. After running the tool, a dummy service (not visible while being executed) is created using the SE_PRIVILEGE_ENABLED flag and loads the signed driver from disk into memory (NtLoadDriver). Now the tool is able to communicate with the driver and instructs it to kill the targeted process. This behavior can be reproduced by using the UI of Process Explorer as they’re using the same technique.

What next?

This method is not limited to Cortex EDR, but we reported the problem to Palo Alto specifically, as they have a track record of responding immediately to security issues. As this method has already been published and this post does not demonstrate any previously unknown vulnerabilities, we decided to share this information in order to raise awareness. Stay tuned for updates.

2021-07–16: Palo Alto reacted to this kind of thread and released an updated version of Cortex which prevents the execution using their “Behavior Threat Protection” component.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
evait security GmbH

full time white hacking / pentesting company who always stays on bleeding edge - https://www.evait.de