Living Off the Walled Garden

Explore the vulnerabilities in Windows' Early Launch Antimalware (ELAM) functionality and Protected Process Light (PPL) services in this 45-minute conference talk from Recon 2022. Delve into the methodology for assessing ELAM drivers and discover how overly-permissive rules can be exploited by adversaries without relying on traditional vulnerabilities. Learn about scenarios where malware can gain anti-tampering protections, hindering detection and remediation efforts. Witness a demonstration of achieving user-mode code execution through an abusable, signed executable running with antimalware-light protection level. Gain insights into why Microsoft labels these security features as "best-effort" and understand the limitations of these defense-in-depth measures.