Oddbean new post about login | logout The fact that they can push kernel drivers at will without permission. insanity. 🤦♂️
The service is installed as admin. It can do whatever the hell it wants. This is standard for EDR agents.
It is installed as a kernel mode driver which is even higher privileges than a user mode admin. It isn't quite standard for EDR agents as there are a lot of solutions whose agents only use usermode hooking for their detections.
When I was surveying the landscape it was certainly true, but that was a while ago. Which are usermode only?
A lot are still usermode hooks. Some are mixed. For example, CarbonBlack has some kernel level drivers for file and network detections, but its prevention policies all operate as usermode hooks. https://github.com/Mr-Un1k0d3r/EDRs
Ya but we’re not just talking about detections. The agent for each of these still needs kernel admin to hook? So you’d have to abuse the deployed agent in most cases, which is too sophisticated for 99.999% of attacks, but the risk is still present, right?
No, you don't need kernel mode access to hook into API calls like NtReadVirtualMemory, NtOpenProcess, etc which are all API calls that exist in usermode space. Having usermode hooks certainly makes it easier for malware to thus unhook the security agent and avoid detection. So it is a trade off.