Recent reporting has highlighted the growing prevalence of EDRKillShifter, a security tampering tool used in recent ransomware deployments by multiple threat actors. While continued development and use of this tool by multiple threat actors is certainly concerning, it’s important to note that EDRKillShifter is not new, nor are the techniques it uses to disable security software.
Targeting privileged software
One of the first techniques commonly employed by threat actors post-compromise is to disable security software. By disabling the system monitoring provided by anti-virus or endpoint detection and response (EDR) software, threat actors can reduce the likelihood of being detected and allow the free execution of malware and malicious commands.
Most security software runs on a system with elevated privileges. This is to:
- Provide access to monitor (and in some cases prevent) the execution of other software
- Protect the security software itself
Threat actors must obtain similarly high privileges to override the security software’s protections and ultimately disable or uninstall it. One commonly observed technique to gain these high privileges is a Bring Your Own Vulnerable Driver (BYOVD) attack.
Bring your own vulnerable driver
Drivers provide a mechanism for low-privilege software to access sensitive system resources. This may include hardware devices or sensitive operating system features, including control over the operating of other software.
Drivers are intended to increase system security by allowing access to sensitive resources and privileged command execution in a restricted manner.
Unfortunately, vulnerabilities are often discovered in these drivers, which allow them to be used in unintended ways. Due to the sensitive access provided by these drivers, exploitation of these vulnerabilities may grant elevated privileges without the restrictions typically imposed by the driver.
While any vulnerable driver may be leveraged for privilege elevation, threat actors often target security software drivers designed to remove rootkit malware from an endpoint. These drivers have built-in features that are ideal for removing the monitoring mechanisms used by security software.
Security hardening
The likelihood of a successful BYOVD attack can be significantly reduced by blocking the use of known vulnerable drivers. Microsoft provides a mechanism to block a list of these drivers via App Control: Microsoft – Recommended Driver Block Rules.
Protection with Field Effect MDR
Monitoring the use of known vulnerable drivers and similar security tampering techniques can help to prevent threat actors from disabling security software. It also serves as an additional detection opportunity, as the observed use of security tampering software can be leveraged to detect advanced threats earlier.
Field Effect MDR offers comprehensive protection through the behavioral monitoring of techniques throughout the cyber kill chain.
Field Effect MDR users are protected against security tampering tools like EDRKillShifter and BYOVD attacks through a robust layered approach to detection, including the following techniques associated with security tampering tools:
Tool ingress
Detection of techniques to transfer additional malware and tools to a compromised endpoint.
Tool execution
Detection of the execution of known security tampering tools, including EDRKillShifter.
Driver access
Detection of known vulnerable drivers being loaded, or unknown drivers being loaded using techniques consistent with BYOVD attacks.
Disabling security software
Detection of previously enabled security software becoming disabled.
Prevention of Field Effect endpoint software being accessed or disabled.
Detection of operating security features being disabled.
