Living Off the Walled Garden - Abusing the Features of the Early Launch Antimalware Ecosystem

Explore a 36-minute Black Hat conference talk that delves into the methodology for assessing Early Launch Antimalware (ELAM) drivers and demonstrates how overly-permissive rules can be exploited by adversaries. Learn about scenarios where intended functionality can be abused without exploiting vulnerabilities, enabling malware to tamper with security products and gain anti-tampering protections. Discover how a single, overly-permissive ELAM driver can hinder detection and remediation efforts. Conclude with a demonstration of achieving user-mode code execution through an abusable, signed executable running with an antimalware-light protection level. Gain insights from presenter Matt Graeber on the potential risks within the early launch antimalware ecosystem.