A brand new instrument named GhostLocker has been launched, demonstrating a novel approach to neutralize Endpoint Detection and Response (EDR) techniques by weaponizing the native Home windows AppLocker function.
Developed by safety researcher zero2504, the instrument highlights a elementary architectural vulnerability in fashionable EDR options: their reliance on userland parts for evaluation and reporting.
In contrast to conventional EDR bypasses that try to take advantage of kernel drivers or carry out advanced reminiscence manipulation, GhostLocker leverages the inherent authority granted to system directors. The instrument makes use of AppLocker, Microsoft’s utility whitelisting framework launched in Home windows 7, to implement “Deny” guidelines towards EDR executables.
The idea is easy however efficient: directors have the respectable energy to manage software program execution. GhostLocker automates this by deploying insurance policies that explicitly block EDR processes from launching or restarting.
The instrument presents two modes of operation: a dynamic model that enumerates operating processes to generate exact guidelines, and a static model that makes use of wildcard paths (e.g., *MsMpEng.exe) to dam targets with out prior enumeration.
The analysis behind GhostLocker reveals that whereas AppLocker can not terminate already operating processes, a easy reboot after coverage utility renders the EDR ineffective.
Crucially, the instrument doesn’t block the EDR’s kernel drivers (*.sys). These drivers proceed to load, register callbacks, and acquire telemetry.
Nonetheless, the analysis findings present that this telemetry turns into ineffective with out the corresponding userland providers. Trendy EDRs depend on user-mode parts to correlate occasions, carry out behavioral evaluation, and ship alerts to the cloud. When these userland “brains” are blocked by AppLocker, the EDR is successfully blinded, though its kernel “eyes” are nonetheless open.
Throughout in depth testing towards business EDR merchandise, GhostLocker achieved full neutralization. Regardless of the blocking, administration consoles continued to report the brokers as “on-line” and “protected,” because the heartbeat mechanisms have been typically decoupled from the evaluation engines. Moreover, beforehand detected injection assaults went unnoticed as a result of the behavioral evaluation engines couldn’t execute.
The instrument additionally demonstrates a definite benefit over Home windows Defender Software Management (WDAC) assaults. Whereas WDAC operates on the kernel stage to dam drivers, AppLocker insurance policies are strictly userland, making them simpler to deploy for focused blocking whereas sustaining the looks of a functioning system.
The discharge emphasizes that this isn’t an exploit, however an abuse of respectable options. To defend towards this, organizations are suggested to observe for AppLocker coverage modifications by way of AppID.sys IOCTL alerts and to make sure their safety merchandise make the most of the Get-AppLockerFileInformation API to pre-validate their very own execution standing.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
