Living Off the Walled Garden: Abusing the Features of the Early Launch Antimalware Ecosystem

Conference:  Black Hat USA 2022



The presentation discusses the potential for abusing the Elam driver and Microsoft certificates to achieve arbitrary unsigned code execution in protected processes.
  • Elam driver and Microsoft certificates can be abused to achieve arbitrary unsigned code execution in protected processes
  • The presentation provides code examples and steps for weaponizing the Elam driver and Microsoft certificates
  • Constraints exist for abusing Ms build, but creative solutions can be found
The presenter demonstrated how Ms build can be abused to run arbitrary Powershell code at the anti-malware light level, despite constraints such as the inability to spawn child processes.


Early Launch Antimalware (ELAM) functionality in Windows offers robust anti-tampering mitigations whereby security vendors declare a Microsoft-approved list of explicitly allowed signers to run as protected (PPL) services. Microsoft makes clear that these mitigations are best-effort attempts to mitigate against security product tampering by labeling ELAM and PPL "defense-in-depth security features." This talk aims to make clear why these mitigations are "best-effort" and ultimately indefensible.This talk will cover a methodology for assessing ELAM drivers and demonstrate scenarios where overly-permissive rules open up adversary tradecraft opportunities, not through exploiting vulnerabilities but through the abuse of intended functionality. A single, overly-permissive ELAM driver enables an adversary to not only tamper with security products but it also supplies malware with anti-tampering protections, hampering detection and remediation efforts. The talk will conclude with a demo of gaining user-mode code execution through an abusable, signed executable running with an antimalware-light protection level.