I picture a scene from a heist movie. The bank boasts of its new, ultimate security force inside the locks, walls, and lasers. And the heist crew looks for ways to subvert that system. Can we slip one of our people into the defense force? Use bribes or threats to compromise a guard? Maybe just find a guard who’s sloppy?
While it’s a lot more technical, finding a technique to subvert the Early Launch Antimalware (ELAM) system in Windows, as described by Red Canary’s principal threat researcher Matt Graeber in his Black Hat briefing, is similar to that scenario.
Graeber explained that an ELAM driver is secured against tampering, and it runs so early in the boot process that it can evaluate other boot-time drivers, with the potential to block any that are malicious. “To create this driver, you don’t have to implement any early launch code,” explained Graeber. “The only thing you need is a binary resource with rules that say which signers are allowed to run as Antimalware Light services. And you have to be a member of the rather exclusive Microsoft Virus Initiative program.”
“I had to investigate how the rules are implemented,” said Graeber. He then described just how he analyzed Microsoft Defender’s WdBoot.sys to determine the expected structure for these rules. In effect, each rule says that any program signed with a specific digital certificate is allowed to run as an Antimalware Light service, which affords it serious protections.
It’s not possible to swap in an unapproved driver, since each must be Microsoft-approved. And anti-tampering constraints mean it’s equally impossible to subvert an existing driver. “ELAM is an allowlist for Antimalware Light services,” mused Graber. “What if it’s overly permissive? Does there exist an ELAM driver that may be overly permissive?”
A Grueling Search
Graeber relied on many resources in his search for a lax driver, among them VirusTotal Intelligence. You may be familiar with VirusTotal’s free malware check, which lets you submit a file or a hash and have it checked by around 70 antivirus engines. VirusTotal Intelligence provides much broader access to detailed information about just about every file and program in existence.
“Hunting for ELAM drivers, I got 886 results from VirusTotal,” said Graeber. “I filtered the list to validate results and got it to 766. I identified many vendors with ELAM drivers, some of them odd.” Here, Graeber showed a list that included one blank vendor name and several that looked incomplete. “If some of the vendors are odd, maybe there’s one rule set that’s odd.”
In the end, he discovered five certificates from four security companies that, as he hoped, provided a way to subvert ELAM. Without going into detail about certificate chains, he determined that any program with one of these in its certificate chain could run in the protected Antimalware Light mode. All he had to do was cross a list of such programs with VirusTotal’s list of malware to get a rogue’s gallery of malicious programs with the potential to run protected.
How to Weaponize This Weakness?
At this point, the talk stepped off the technical deep end. Graeber described searching the LOLbins for an abusable executable, coming up with a suitable version of Microsoft Build, and getting past various obstacles to let him run arbitrary code. I’m sure the bright programmers in the audience were nodding along in admiration.