Full Report
For our annual internal hacker conference dubbed SenseCon in 2023, I decided to take a look at communication between a Windows driver and its user-mode process. Here are some details about that journey. TL;DR Attackers could use Windows kernel R/W exploit primitive to avoid communication between EDR_Driver.sys and its EDR_process.exe. As a result some EDR detection mechanisms will be disabled and make it (partially) blind to malicious payloads. This blogpost describes an alternative approach which doesn’t remove kernel callbacks and gives some recommendations for protecting against this “filter-mute” attack.
Analysis Summary
# Tool/Technique: Filter-Mute Attack targeting EDR Communication
## Overview
This analysis describes a technique, termed "Filter-Mute," that exploits the communication channel between a Windows EDR user-mode process (`EDR_process.exe`) and its kernel-mode driver (`EDR_Driver.sys`). The primary goal of this attack is to partially blind the EDR solution by manipulating internal structures within the Windows kernel's Filter Manager (FLTMGR) to stop processing communications or notifications, effectively disabling some EDR detection and monitoring mechanisms without necessarily removing kernel callbacks entirely.
## Technical Details
- Type: Technique
- Platform: Windows
- Capabilities: Disabling EDR monitoring by modifying the connection limit between the user-mode EDR process and the kernel driver via FLTMGR structures.
- First Seen: Described at SenseCon 2023 (Published July 2023)
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- T1562 - Impair Defenses
- T1562.001 - Disable orលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលលลลลลលលลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลลล$\textit{Security Products}$
## Functionality
### Core Capabilities
- Utilizes Windows kernel R/W exploit primitive (though the focus shifts to a different approach).
- Investigates the internal communication mechanism between an EDR driver (`EDR_Driver.sys`) and its user-mode component (`EDR_process.exe`).
- Leverages kernel debugging (WinDbg) to manually map the EDR internal structures.
### Advanced Features
- **Filter-Mute Attack:** Achieved by gaining visibility into the FLTMGR structures, specifically finding the `FLT_SERVER_PORT_OBJECT` structure associated with the EDR filter.
- **Connection Limiting:** Sets the `MaxConnections` field within the `_FLT_SERVER_PORT_OBJECT` structure to zero (`0`), which halts the communication pipeline between the kernel driver and the user-mode process.
- **Automated Exploitation:** The methodology is documented with corresponding WinDbg commands and points to a Proof-of-Concept (PoC) script within **EDRSnowblast** to potentially automate the offset calculation and exploitation.
## Indicators of Compromise
*Note: Since this is a description of an attack *methodology* against an unspecified EDR, specific hashes or filenames for deployed malware are not provided. The key indicators relate to the manipulation of EDR components.*
- File Hashes: N/A (Focus is on memory manipulation)
- File Names: `EDR_Driver.sys` (Target driver), `EDR_process.exe` (Target user-mode process)
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators:
- Abnormal modification of internal Windows kernel structures related to the Filter Manager (`FLTMGR!_FLT_SERVER_PORT_OBJECT`).
- EDR process termination or severe degradation of telemetry/blocking functions.
- Use of WinDbg commands like `eq [address] 0` targeting kernel memory offsets relevant to filter management objects.
## Associated Threat Actors
- The technique was developed and presented by researchers at Orange Cyberdefense (SensePost).
- No specific known threat actor group is explicitly named as using this exact method, but the general concept of targeting EDR communication is relevant to advanced threat groups.
## Detection Methods
- **Signature-based detection:** Difficult as the attack relies on memory manipulation specific to the EDR implementation, rather than known file signatures.
- **Behavioral detection:** Monitoring for direct, unsolicited write access or manipulation of kernel memory structures related to I/O filtering/LSP components (`FLTMGR`).
- **YARA rules if available:** Not provided based on the article content. Detection should focus on monitoring integrity of driver/process communication state.
## Mitigation Strategies
- **Prevention measures:**
- Implement kernel protection mechanisms that monitor or prevent unauthorized modification of active device filter driver communication links.
- **Hardening recommendations:**
- Employ proactive memory hardening techniques on kernel-side components to prevent arbitrary write primitives from impacting critical structures like the Filter Manager ports.
- Regularly update EDR solutions; offsets mentioned for FLTMGR structures might change with OS updates, invalidating manual exploit steps.
- Implement validation checks within the EDR logic to ensure the `MaxConnections` count on its server port object remains at an expected, non-zero value.
## Related Tools/Techniques
- Windows Kernel R/W exploit primitive (mentioned as a precursor method).
- Process Injection via Callbacks (the EDR process being subverted).
- EDRSnowblast (a tool mentioned that includes scripts for extracting FLTMGR offsets, potentially used for automating this bypass).