Yarden Shafir

Your Mitigations Are My Opportunities

Abstract

Every modern Windows mitigation can be bypassed. Mitigations can have unintentional bugs, design choices that create known gaps, or just good old backwards compatibility. And while these protections may succeed in killing older exploit primitives, they also sometimes introduce entirely new ones. This talk will provide a whirlwind tour through exploitation on a modern Windows system and introduce advanced techniques for the modern attacker.

The first half of this talk will focus on some of the newer Windows mitigations, like XFG, CET, KCET, HVCI and others, and explain how they prevent and mitigate classic exploitation techniques. Then we’ll see how we can build a ROP-based exploit that will work on the most recent Windows 11 systems through a new type confusion technique.

Once we achieve code execution on the machine, we’ll turn our attention to EDRs. As EDRs advance and become more advanced, the potential attack surface against them grows as well. We’ll examine Windows Defender, which currently runs seven drivers and multiple processes, making it an interesting potential attack surface. We’ll see how all this code provides new opportunities to an attacker, for example through a secret “debug mode”, new available devices and hookable kernel interfaces that allow a kernel-level attacker to hide where neither the OS nor the EDR itself will notice.

BIO

Yarden is a senior security researcher at Trail of Bits and a consultant for Winsider Seminars & Solutions Inc., co-teaching security trainings. Previously she worked at CrowdStrike and SentineOne, working on EDR features and Windows research. Outside of her primary work duties, Yarden writes articles and tools and gives talks about various topics such as Pool internals, CET internals, extension host hooking and kernel exploit mitigations. Outside of infosec, Yarden is a circus artist, teaching and performing aerial arts.