Query Details
Bring Your Own Minifilter EDR Bypass
Query
//Detect Bring your own minifilter to bypass EDR. // by default windows can defend against this by preventing unsigned drivers however SYSTEM and stolen certificates would bypass. EDR vendors should use minifilters with a high altitude let Lookbackdays = 90d; let BringYourOwnMiniFilter_bceditProcs = DeviceProcessEvents | where TimeGenerated > ago(Lookbackdays) | where ProcessCommandLine contains "becedit.exe -set loadoptions DISABLE_INTEGRITY_CHECKS" or ProcessCommandLine contains "bcedit.exe -set TESTSIGNINGON"; let BringYourOwnMiniFilter_ServiceCreation = DeviceProcessEvents | where TimeGenerated > ago(Lookbackdays) | where ProcessCommandLine contains @"sc create nullfilter type=filesys start=system binPath=C:\m.sys"; let BringYourOwnMiniFilter_registryKeychange = DeviceRegistryEvents | where ActionType == "RegistryKeyCreated" or ActionType == "RegistryValueSet" | where TimeGenerated > ago(Lookbackdays) | where ActionType == "RegistryKeyCreated" or ActionType == "RegistryValueSet" | where (RegistryKey startswith @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\" and RegistryKey endswith @"\Instances\AltitudeAndFlags") or RegistryKey == @"HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing"; BringYourOwnMiniFilter_bceditProcs | union BringYourOwnMiniFilter_ServiceCreation | union BringYourOwnMiniFilter_registryKeychange
Explanation
This KQL query is designed to detect potential attempts to bypass Endpoint Detection and Response (EDR) systems by using unauthorized or malicious minifilter drivers on Windows systems. Here's a simplified explanation of what the query does:
-
Lookback Period: The query examines events from the past 90 days.
-
Detecting Command Line Activity:
- It looks for processes where the command line includes specific commands (
becedit.exe -set loadoptions DISABLE_INTEGRITY_CHECKSorbcedit.exe -set TESTSIGNINGON). These commands are related to disabling integrity checks and enabling test signing, which could allow unsigned drivers to be loaded.
- It looks for processes where the command line includes specific commands (
-
Detecting Service Creation:
- It checks for the creation of a service with the command line containing
sc create nullfilter type=filesys start=system binPath=C:\m.sys. This could indicate the creation of a malicious minifilter driver service.
- It checks for the creation of a service with the command line containing
-
Monitoring Registry Changes:
- It monitors registry changes, specifically the creation or modification of keys related to driver signing policies and minifilter driver altitude settings. These changes could be used to manipulate driver loading behavior.
-
Combining Results:
- The query combines results from the above checks to identify any suspicious activities related to the use of unauthorized minifilter drivers.
Overall, this query aims to detect potential security threats by identifying activities that could allow malicious drivers to bypass security mechanisms on Windows systems.
Details
Jay Kerai
Released: December 31, 2024
Tables
DeviceProcessEventsDeviceRegistryEvents
Keywords
DeviceProcessEventsDeviceRegistryEvents
Operators
let|where>ago()containsor==startswithendswithunion