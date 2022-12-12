SafeBreach cybersecurity researcher Or Yair has found a way to exploit antivirus quarantine features to turn them into data wipers.

Yair managed the feat using endpoint detection and response (EDR) and antivirus (AV) software from Avast, AVG, Microsoft, SentinelOne, and TrendMicro.

The exploit can be used to carry out stealthy attacks and remove the need to be a privileged user to run destructive attacks.

Data wiping attacks carried out by abusing AVs and EDRs can effectively bypass a system’s defences as the file deletion features of security solutions are expected behaviour and would likely be overlooked.

“There are two main events when an EDR deletes a malicious file. First, the EDR identifies a file as malicious and then it deletes the file,” Yair explained.

“If I could do something between these two events, using a junction, I might be able to point the EDR towards a different path.”

Yair’s approach was to create a C:\temp\Windows\System32\drivers folder in which he would store the Mimikatz program as “ndis.sys”.

The idea was to have the program detected as malicious when created, at which point Yair would quickly delete the C:\temp folder and create a junction from C:\temp to C:\Windows.

In theory, this would cause the EDR to try and delete the ndis.sys file, which is now pointing to the valid C:\Windows\system32\drivers

dis.sys file.

However, some EDRs prevented the deletion of the file after it was detected as malicious, while others noticed the deletion of the file, dismissing the wiping action.

Yair solved this by creating the malicious file, holding its handle by keeping it open, and not defining which processes have permission to delete it.

The security tools then prompted a restart to release the handle, freeing the file for deletion.

“What’s surprising about this default Windows feature is that once it reboots, Windows starts deleting all the paths and blindly follows junctions,” Yair noted.

He found that by using the following process, he could delete files in directories with no modification privileges.

Create a specific path for the malicious file at C:\temp\Windows\System32\drivers

dis.sys; Hold its handle open to force the defence software to postpone deletion until after a reboot; Delete the C:\temp directory; Create the C:\temp → C:\ junction; and, Reboot when prompted.

Yair tested the exploit with 11 security tools and found that Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus were all vulnerable.

SafeBreach reported the vulnerabilities to the affected vendors in July and August 2022.

“We then worked closely with them over the next four months on the creation of a fix prior to this publication,” it added.