Living Off the Walled Garden: Abusing the Features of the Early Launch Antimalware Ecosystem

The presentation discusses the potential for abusing the Elam driver and Microsoft certificates to achieve arbitrary unsigned code execution in protected processes.

• Elam driver and Microsoft certificates can be abused to achieve arbitrary unsigned code execution in protected processes
• The presentation provides code examples and steps for weaponizing the Elam driver and Microsoft certificates
• Constraints exist for abusing Ms build, but creative solutions can be found

The presenter demonstrated how Ms build can be abused to run arbitrary Powershell code at the anti-malware light level, despite constraints such as the inability to spawn child processes.

Early Launch Antimalware (ELAM) functionality in Windows offers robust anti-tampering mitigations whereby security vendors declare a Microsoft-approved list of explicitly allowed signers to run as protected (PPL) services. Microsoft makes clear that these mitigations are best-effort attempts to mitigate against security product tampering by labeling ELAM and PPL "defense-in-depth security features." This talk aims to make clear why these mitigations are "best-effort" and ultimately indefensible.This talk will cover a methodology for assessing ELAM drivers and demonstrate scenarios where overly-permissive rules open up adversary tradecraft opportunities, not through exploiting vulnerabilities but through the abuse of intended functionality. A single, overly-permissive ELAM driver enables an adversary to not only tamper with security products but it also supplies malware with anti-tampering protections, hampering detection and remediation efforts. The talk will conclude with a demo of gaining user-mode code execution through an abusable, signed executable running with an antimalware-light protection level.