EDRs have a super power. They can delete any file. This session will show how we used their own power against them and managed to create the next-gen wiper that runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on the system, including system files. It does all that without implementing code that actually touches target files by itself, making it undetectable.


RSAC 2023 brought together thousands of cybersecurity professionals for four incredible days of expert perspectives, groundbreaking innovation, and best practices. 

Aikido: Turning EDRs to Malicious Wipers Using 0-day Exploits

Conference: RSA Conference 2023

Authors: Or Yair

Abstract

Post a comment

Related work

Reconstruct the World from Vanished Shadow: Recovering Deleted VSS Snapshots

Fooling Windows through Superfetch

Relocation Bonus: Attacking the Windows Loader Makes Analysts Switch Careers

Exploiting Windows Exploit Mitigation for ROP Exploits

Contain Yourself: Staying Undetected Using the Windows Container Isolation Framework

Dirty Stream Attack, Turning Android Share Targets Into Attack Vectors