Windows Anitivirus and EDR Elevation of Privilege Vulnerability

Hunt Hypothesis

Adversaries may exploit a TOCTOU vulnerability in EDR and AV solutions to elevate privileges by creating malicious files during a race condition. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential privilege escalation attacks targeting endpoint security solutions.

KQL Query

DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FileName endswith "ndis.sys"
| where FolderPath startswith "C:\\temp\\Windows\\System32\\drivers\\"

Analytic Rule Definition

id: a9eb9b06-4345-47f2-abe6-29f7200ddf83
name: Windows Anitivirus and EDR Elevation of Privilege Vulnerability
description: |
  The query for malicious file creations via TOCTOU Vulnerability in Leading Endpoint Detection and Response (EDR) and Antivirus (AV) Solutions.
  - Microsoft Defender (CVE-2022-37971)
  - Defender for Endpoint (CVE-2022-37971)
  - SentinelOne EDR
  - TrendMicro Apex One (CVE-2022-45797)
  - Avast Antivirus (CVE-2022-4173)
  - AVG Antivirus (CVE-2022-4173)
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
tactics:
- PrivilegeEscalation
- LateralMovement
relevantTechniques:
- t1574
query: |
  DeviceFileEvents
  | where Timestamp > ago(7d)
  | where ActionType == "FileCreated"
  | where FileName endswith "ndis.sys"
  | where FolderPath startswith "C:\\temp\\Windows\\System32\\drivers\\"

Required Data Sources

MITRE ATT&CK Context

• Tactic: PrivilegeEscalation
• Tactic: LateralMovement
• Technique: Tt1574 — Tt1574

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Privilege escalation/detect-av-edr-privileged-delete-vulnerability.yaml)

False Positive Guidance

• Scenario: A system administrator is performing a scheduled scan using Microsoft Defender Antivirus during a routine maintenance window.
  Filter/Exclusion: ProcessName != "MsMpEng.exe" OR ProcessParentName != "Windows Defender Antivirus Service"

• Scenario: A Windows Update task is running, which temporarily creates files in the system directory as part of the update process.
  Filter/Exclusion: ProcessName != "wuauclt.exe" OR ProcessParentName != "svchost.exe"

• Scenario: A scheduled PowerShell script is executed by an admin to perform a system cleanup, which may involve creating temporary files in protected directories.
  Filter/Exclusion: ProcessName != "powershell.exe" OR ProcessCommandLine contains "Cleanup" OR ProcessUser != "Administrator"

• Scenario: Microsoft Defender for Endpoint is performing a real-time scan and temporarily creates files in the system directory as part of its analysis process.
  Filter/Exclusion: ProcessName != "MsDefender.exe" OR ProcessParentName != "MsDefenderService.exe"

• Scenario: A third-party EDR tool (e.g., CrowdStrike Falcon) is running a memory scan and creates temporary files in memory or on disk.
  Filter/Exclusion: ProcessName != "falcon.exe" OR ProcessParentName != "falconsvc.exe"