The research revealed that MiniFilter drivers, like Sysmon, can be exploited to hinder the functionality of EDR drivers. By strategically assigning a higher altitude value to another MiniFilter, it can be loaded before the EDR driver.
It prevents the EDR driver from registering with the Filter Manager, effectively disabling its telemetry capabilities, which leverage the hierarchical structure of MiniFilters and their unique altitude requirements to disrupt the normal operation of security solutions.
Microsoft’s MDE has a defense mechanism to prevent tampering with its driver’s altitude. While attempting to modify Sysmon’s altitude to match MDE’s, the regedit process was terminated, and Sysmon’s altitude entry was removed.
However, using other MiniFilter drivers like FileInfo, the altitude change was successful, allowing the attacker to unload MDE’s driver and bypass its real-time protection, which highlights a potential vulnerability that could be exploited to compromise system security.
The EDR vendor X initially had detections for other drivers using their Altitude, which was bypassed by using different registry types like REG_MULTI_SZ.
Now, they mitigate this by using an Altitude with a dot followed by five dynamically assigned digits, which prevents attackers from assigning the same Altitude to other MiniFilter drivers.
Some EDR vendors mitigated the issue by adjusting the load order, but Patrik Jokela bypassed this by modifying the Altitude and other registry values that influence the load order.
The load order of MiniFilter drivers is influenced by several factors, including their assigned group and the specific order within that group. The “Group” value determines the overall group membership, while the “GroupOrderList” specifies the order of groups.
The “Start” value dictates when the driver is loaded, with options like “BOOT_START” or “SYSTEM_START.” The “Type” defines whether the driver is a kernel or user mode driver, affecting its loading context. Finally, the “Tag” value allows for finer control within a group, providing a precise load order among drivers.
To ensure optimal loading of the MiniFilter driver, configure the following settings in the registry: place it in the “FSFilter Infrastructure” group to prioritize its loading before other MiniFilter drivers, set “Start” to 0 for immediate boot-time loading, and choose either “SERVICE_KERNEL_DRIVER” or “SERVICE_FILE_SYSTEM_DRIVER” for the “Type” to indicate its kernel-mode nature.
According to Tier Zero Security, the Sysmon driver’s altitude was adjusted to match WdFilter’s, but WdFilter still loaded first. Sysmon’s Start and Type values were already set to 0 and 1, respectively.
A new registry key for the group with a REG_SZ value of “FSFilter Infrastructure” was added, preventing WdFilter from loading, which change ensured that Sysmon loaded before WdFilter, effectively blocking its execution.
The vulnerability remains a threat to certain vendors, including MDE. While blocking Sysmon abuse or altering the loading order of EDR MiniFilter drivers is inadequate, the mitigations introduced by the EDR vendor might be effective against this MiniFilter issue.
SOC teams should stay vigilant for suspicious registry changes linked to Altitude across all MiniFilters, not just Sysmon, and react swiftly to any anomalies.
