Windows Defender-Pretender Attack Dismantles Flagship Microsoft EDR

BLACK HAT USA – Las Vegas – Wednesday, Aug. 9: Among the 97 CVEs that Microsoft patched in April 2023 was a security feature bypass vulnerability that allows an unprivileged user to hijack Windows Defender and use it to wreak havoc on target systems.

Researchers at SafeBreach — who discovered similar vulnerabilities in security products previously — uncovered the issue with Windows Defender during an attempt take over the antivirus tool's update process.

Hijacking the Update Process

The research goal was to verify if the update process could be used to sneak known malware into systems the software is designed to protect. Researchers also wanted to verify if they could get Windows Defender to delete signatures of known threats and worse, to delete benign files and trigger a denial-of-service condition on a compromised system.

The researchers were able to achieve all three objectives and even develop an automated tool dubbed wd-pretender — for Windows Defender Pretender — that implemented each of the attack vectors. Microsoft assigned a CVE for the issue they discovered — CVE-2023-24934 — and issued a fix for it in April.

SafeBreach researchers Tomer Bar and Omer Attias presented a summary of their findings at a Black Hat USA session on Wednesday, entitled "Defender Pretender: When Windows Defender Updates Become a Security Risk."

In a conversation with Dark Reading before their presentation, Bar and Attias say their research was inspired by the sophisticated Flame cyberespionage campaign that targeted organizations in Iran and other countries in the Middle East back in 2012. The nation-state actor behind the campaign inserted themselves into the middle of the Windows update process and used it to deliver the Flame malware tool on previously infected computers.

Bar says the goal with SafeBreach's latest research was to see if they could replicate something similar without a complex man-in-the-middle attack and without a forged certificate — as with the case with the Flame campaign. Significantly, the researchers wanted to see if they would take over the Windows Defender update process as an unprivileged user.

The Defender Update Process

In studying the Windows Defender update process, Bar and Attias discovered that signature updates are typically contained in a single executable file called the Microsoft Protection Antimalware Front End (MPAM-FE[.]exe). The MPAM file in turn contained two executables and four additional Virtual Device Metadata (VDM) files with malware signatures in compressed — but not encrypted — form. The VDM files worked in tandem to push signature updates to Defender.

The researchers discovered that two of the VDM files were large sized "Base" files that contained some 2.5 million malware signatures, while the other two were smaller-sized, but more complex, "Delta" files. They determined the Base file was the main file that Defender checked for malware signatures during the update process, while the smaller Delta file defined the changes that needed to be made to the Base file.

Initially, Bar and Attias attempted to see if they could hijack the Defender update process by replacing one of the executables in the MPAM file with a file of their own. Defender immediately spotted that the file was not Microsoft-signed and stopped the update process, Bar says.

Tampering With Signed Files

Researchers then decided to see if they could take over the Defender update process by tampering with the Microsoft-signed VDM files.

In analyzing the files, they were able to easily identify malware names and their associated signatures and where the strings began and ended. The two researchers found that Windows Defender signatures are the result of merging data from the Base and Delta files. They found Defender used a validation process to ensure data in the files hadn't changed during or before the merge process and identified two specific numbers that Defender used for validation purposes. Bar says he was able to use this information to hijack the update process by using a modified VDM file version.

Bar says that as proof of concept he was able to make changes to VDM files so that Defender failed to spot threats like Conti ransomware and Mimikatz, even though it had signatures for spotting both threats. By simply deleting the name of a specific malware threat from the Defender signature database they were able to ensure Defender did not detect the threat.

Similarly, the researchers found they could easily sneak malicious files into a system by labeling them as "FriendlyFiles," which is basically an allow-list that Defender users to identify benign files. As proof, they demonstrated how they could sneak in Mimikatz on a system by replacing a hash on the FriendlyFiles list with the hash for Mimikatz. Bar says he was also able to trigger a denial-of-service condition on a test machine by tricking Windows Defender into thinking all portable executable files on the system were Emotet malware. The researchers rigged the attack in such a way that whenever Defender encountered the string "This program cannot be run in dos mode" — something that is true of almost every single modern app — Defender would automatically delete them. The end result was complete denial of service on the test system, Tomer says.

Previously, another researcher from SafeBreach had shown how an attacker, with only the permissions of an unprivileged user, could manipulate several common endpoint detection and response systems to wipe any file on a system. The key takeaway for organizations is that motivated attackers can always find ways to bypass even typically reliable security technologies, Bar says.

While Microsoft used digitally signed files during the update process, the Windows Defender vulnerability meant validation checks failed to spot subsequent changes to those signed files, he says. Based on the potential for signature update processes to be exploited as a new attack vector, more research is needed to ensure the security of this process.