Disable advanced EDR solutions by abusing Microsoft signed kernel driver
In our daily research we discovered an awesome project on Github that focused on killing protected processes, especially modern anti malware solutions.
https://github.com/Yaxser/Backstab | Yasser Alhazmi (@Yas_o_h)
We tested the tool successfully against the latest and fully updated Cortex XDR Agent which uses the “cyserver.exe” as main process. Terminating a process with protection level “PsProtectedSignerAntimalware” is not a trivial task even with administrative or system integrity level access.
How it works
The tool uses a kernel driver shipped with the Sysinternals Process Explorer (https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer) that is digitally signed by Microsoft. After running the tool, a dummy service (not visible while being executed) is created using the SE_PRIVILEGE_ENABLED flag and loads the signed driver from disk into memory (NtLoadDriver). Now the tool is able to communicate with the driver and instructs it to kill the targeted process. This behavior can be reproduced by using the UI of Process Explorer as they’re using the same technique.
What next?
This method is not limited to Cortex EDR, but we reported the problem to Palo Alto specifically, as they have a track record of responding immediately to security issues. As this method has already been published and this post does not demonstrate any previously unknown vulnerabilities, we decided to share this information in order to raise awareness. Stay tuned for updates.
2021-07–16: Palo Alto reacted to this kind of thread and released an updated version of Cortex which prevents the execution using their “Behavior Threat Protection” component.