{"id":15959,"date":"2019-07-31T09:00:43","date_gmt":"2019-07-31T17:00:43","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/07\/31\/news-9703\/"},"modified":"2019-07-31T09:00:43","modified_gmt":"2019-07-31T17:00:43","slug":"news-9703","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/07\/31\/news-9703\/","title":{"rendered":"How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection"},"content":{"rendered":"<p><strong>Credit to Author: Eric Avena| Date: Wed, 31 Jul 2019 16:30:35 +0000<\/strong><\/p>\n<p>Detecting and stopping attacks that tamper with kernel-mode agents at the hypervisor level is a critical component of the unified endpoint protection platform in Microsoft Defender Advanced Threat Protection (<a href=\"https:\/\/www.microsoft.com\/en-us\/microsoft-365\/windows\/microsoft-defender-atp\">Microsoft Defender ATP<\/a>). It\u2019s not without challenges, but the deep integration of <a href=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/windows-defender-antivirus\/windows-defender-antivirus-in-windows-10\">Windows Defender Antivirus<\/a> with <a href=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/windows-defender-antivirus\/windows-defender-antivirus-in-windows-10\">hardware-based isolation<\/a> capabilities allows the detection of artifacts of such attacks.<\/p>\n<p>Recently, the Microsoft Defender ATP research team found a malicious system driver enabling a token swap attack that could lead to privilege escalation. In this blog, we\u2019ll share our analysis of the said attack and discuss how Windows Defender Antivirus uses its unique visibility into system behaviors to detect dangerous kernel threats.<\/p>\n<h3>Hardware-based root of trust<\/h3>\n<p><a href=\"https:\/\/docs.microsoft.com\/windows\/security\/threat-protection\/windows-defender-system-guard\/system-guard-how-hardware-based-root-of-trust-helps-protect-windows\">Windows Defender System Guard<\/a>, a hardware-based system integrity capability in Microsoft Defender ATP, has a runtime measurement component called <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2018\/04\/19\/introducing-windows-defender-system-guard-runtime-attestation\/\">runtime attestation<\/a>. This runtime measurement component includes a sub-engine called assertion engine (see Figure 1), which continuously measures and asserts the integrity of the Windows kernel, providing supplementary signals about any abnormal system behavior.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-89695 aligncenter\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig1-Windows-Defender-System-Guard-runtime-attestation.png\" alt=\"\" width=\"800\" height=\"460\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig1-Windows-Defender-System-Guard-runtime-attestation.png 800w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig1-Windows-Defender-System-Guard-runtime-attestation-300x173.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig1-Windows-Defender-System-Guard-runtime-attestation-768x442.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 1. High-level Windows Defender System Guard runtime attestation architecture<\/em><\/p>\n<p>Architecturally, the solution is collectively referred to as the Windows Defender System Guard runtime monitor and consists of the following client-side components:<\/p>\n<ul>\n<li>The VTL-1 runtime assertion engine itself<\/li>\n<li>A VTL-0 kernel-mode agent<\/li>\n<li>A VTL-0 process we call the \u2018broker\u2019 to host the assertion engine<\/li>\n<\/ul>\n<p>The goal is to detect artifacts of data corruption attacks and other threats that tamper with kernel-mode agents at the hypervisor level. <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-antivirus\/windows-defender-antivirus-in-windows-10\">Windows Defender Antivirus<\/a>, the next-generation component of Microsoft Defender ATP, integrates with Windows Defender System Guard runtime attestation and consumes signals from the assertion engine.<\/p>\n<h3>Detecting token theft attacks<\/h3>\n<p>Every Windows process has a <a href=\"https:\/\/msdn.microsoft.com\/library\/windows\/desktop\/ms721603#-security-primary-token-gly\">primary token<\/a> that describes the <a href=\"https:\/\/msdn.microsoft.com\/library\/windows\/desktop\/ms721625#-security-security-context-gly\">security context<\/a> of the user account associated with the process. The information in the token includes the identity and privileges of the user account associated with the process or thread. Token theft attacks are rampant because they can allow adversaries to use access tokens to operate using different user accounts or under different system security contexts to perform malicious actions and evade detection.<\/p>\n<p>The Microsoft Defender ATP Research team recently uncovered and analyzed signals from Windows Defender System Guard assertion engine that indicated manipulation of a primary token, causing token swap \u2013 a distinctly suspicious activity, given that the aspects of a primary token are immutable once the process starts running.<\/p>\n<p>Further analysis of Windows Defender Antivirus telemetry identified the offending malicious system driver responsible for the invariant token swap attack. The sample containing the system driver was signed with a compromised certificate (thumbprint: 31e5380e1e0e1dd841f0c1741b38556b252e6231) that\u2019s commonly misused in the wild.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-89696\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig2-Revoked-certificate.png\" alt=\"\" width=\"400\" height=\"483\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig2-Revoked-certificate.png 514w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig2-Revoked-certificate-248x300.png 248w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 2. Revoked certificate used by malicious system driver<\/em><\/p>\n<p>The driver exhibited the following rootkit behavior:<\/p>\n<ul>\n<li>Token swap<\/li>\n<li>Tampering EPROCESS structure in kernel mode and PEB to disguise a process as svchost.exe<\/li>\n<\/ul>\n<p>In this scenario, Windows Defender System Guard raised an initial assertion failure signal for the token swap. Windows Defender Antivirus consumed the signal and applied intelligence to discover that the suspicious activity was being orchestrated by a system driver.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-89697 aligncenter\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig3-decompiled-malicious-driver-cdoe.png\" alt=\"\" width=\"700\" height=\"567\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig3-decompiled-malicious-driver-cdoe.png 700w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2019\/07\/fig3-decompiled-malicious-driver-cdoe-300x243.png 300w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><\/p>\n<p style=\"text-align: center;\"><em>Figure 3. Decompiled malicious driver code for token theft<\/em><\/p>\n<p>Using a Microsoft cloud service that that keeps track of stolen or revoked PKI certificates worldwide, Windows Defender Antivirus found that the driver was indeed signed by a revoked or stolen certificate, which was communicating with the infected binary to perform the token swap.<\/p>\n<p>Windows Defender Antivirus works seamlessly with Microsoft cloud services, such as the one that flags binaries signed by stolen or revoked certificates. Signals like these enrich the protection delivered by multiple next-generation protection engines in Windows Defender Antivirus to provide near-instant, automated defense against new and emerging threats. With cloud-delivered protection, next-generation technologies provide rapid identification and blocking of attacks, typically even before a single machine is infected.<\/p>\n<h3>Device integrity for broader security<\/h3>\n<p>The goal of Windows System Guard runtime attestation is to provide its consumers with a trustworthy assessment of the security posture and integrity of devices. Apps and services can take advantage of this attestation technology to ensure that the system is free from tampering and that critical processes are running as expected. Runtime attestation can help in many scenarios, including:<\/p>\n<ul>\n<li>Providing supplementary signals for endpoint detection and response (EDR) and antivirus vendors (including full integration with the <a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\">Microsoft Defender ATP<\/a> stack)<\/li>\n<li>Detecting artifacts of kernel tampering, rootkits, and exploits<\/li>\n<li>Protected game anti-cheat scenarios (for example, detection of process-protection bypasses that can lead to game-state modification)<\/li>\n<li>Securing sensitive transactions (banking apps, trading platforms)<\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2017\/10\/23\/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard\/\">Conditional access<\/a> (enabling and enhancing device security-based access policies)<\/li>\n<\/ul>\n<p>The assertion engine can detect attacks that can reasonably be performed under the most restrictive attack conditions, such as when system has been already hardened with hypervisor-protected code integrity (HVCI) and enforced kernel mode code integrity (KMCI).<\/p>\n<p>The case study has shown how <a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\">Microsoft Defender ATP<\/a> \u2013 hence, the broader <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/technology\/threat-protection\">Microsoft Threat Protection<\/a> \u2013 reaps significant security benefits from Windows Defender System Guard runtime attestation. We invite the industry to do the same.<\/p>\n<p>To learn more, read our blog about <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2018\/04\/19\/introducing-windows-defender-system-guard-runtime-attestation\/\">Windows Defender System Guard runtime attestation<\/a>.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><em><strong>Abhijat Singh<\/strong>, Enterprise &amp; Security<\/em><br \/> <em><strong>David Kaplan (<a href=\"https:\/\/twitter.com\/depletionmode\">@depletionmode<\/a>)<\/strong>, Microsoft Defender ATP Research<\/em><br \/> <em><strong>Chun Feng<\/strong>, Microsoft Defender ATP Research<\/em><br \/> <em><strong>Hermineh Sanossian<\/strong>, Enterprise &amp; Security<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<h3>Talk to us<\/h3>\n<p>Questions, concerns, or insights on this story? Join discussions at the\u00a0<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/Microsoft-Defender-ATP\/bg-p\/MicrosoftDefenderATPBlog\">Microsoft Defender ATP community<\/a>.<\/p>\n<p>Read all <a href=\"https:\/\/www.microsoft.com\/security\/blog\/microsoft-security-intelligence\/\">Microsoft security intelligence blog posts<\/a>.<\/p>\n<p>Follow us on Twitter <a href=\"https:\/\/twitter.com\/MsftSecIntel\" target=\"_blank\" rel=\"noopener\"><strong>@MsftSecIntel<\/strong><\/a>.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/07\/31\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/\">How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/\">Microsoft Security<a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/07\/31\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Eric Avena| Date: Wed, 31 Jul 2019 16:30:35 +0000<\/strong><\/p>\n<p>The deep integration of Windows Defender Antivirus with hardware-based isolation capabilities allows the detection of artifacts of attacks that tamper with kernel-mode agents at the hypervisor level.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/07\/31\/how-windows-defender-antivirus-integrates-hardware-based-system-integrity-for-informed-extensive-endpoint-protection\/\">How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/\">Microsoft Security<a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[22514,4500,21874,21490,22452,22453,22456,11946,18188,17187,21483,22515,22516,11774,21496],"class_list":["post-15959","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-assertion-engine","tag-cybersecurity","tag-hardware-based-isolation","tag-kernel-mode-attacks","tag-microsoft-defender-advanced-threat-protection","tag-microsoft-security-intelligence","tag-next-generation-protection","tag-privilege-escalation","tag-runtime-attestation","tag-security-intelligence","tag-threat-protection","tag-token-swap","tag-token-theft","tag-windows-defender-antivirus","tag-windows-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15959","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15959"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15959\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15959"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}