GhostHook Attack Bypasses Windows 10 PatchGuard

Researchers at CyberArk have developed a bypass for Windows PatchGuard that leverages Intel’s Processor Trace (Intel PT) technology to execute code at the kernel.

A bypass of PatchGuard kernel protection in Windows 10 has been developed that brings rootkits for the latest version of the OS within reach of attackers.

Since the introduction of PatchGuard and DeviceGuard, very few 64-bit Windows rootkits have been observed; Windows 10’s security, in particular its mitigations against memory-based attacks, are well regarded. Researchers at CyberArk, however, found a way around PatchGuard through a relatively new feature in Intel processors called Processor Trace (Intel PT).

The bypass, which has been nicknamed GhostHook, is a post-exploitation attack and requires an attacker already be present on a compromised machine and running code in the kernel. As a result, Microsoft said it will not patch the issue, but may address it in a future version of Windows, CyberArk said. A request for comment from Microsoft was not returned in time for publication.

“This technique requires that an attacker has already fully compromised the targeted system. We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers,” a Microsoft representative said in a statement provided to Threatpost.

CyberArk concedes this may be a difficult fix for Microsoft, and said the quickest path to a fix may come from security vendors whose products hook in to PatchGuard. Intel PT, which was released months after PatchGuard, enables security vendors to monitor stacks of commands that are executed in the CPU in order to identify attacks before they reach the operating system.

“We are able to execute code in the kernel and go unnoticed by any security feature Microsoft produces,” said Kobi Ben Naim, senior director of cyber research. “Many other security vendors rely on PatchGuard and on DeviceGuard in order to receive reliable information and analyze whether it’s benign or an attack. This bypass enables us to go unnoticed versus the security vendors we checked (this includes antimalware, firewalls, host-based intrusion detection and more) that rely on those security layers to provide reliable information.”

Naim said that such an attack is within the realm of a nation-state attacker and that some well known targeted intrusions such as Flame and Shamoon make use of 64-bit malware to establish a foothold on machines and networks. Naim warned as well that if exploit code were to become public and criminal operations were able to execute ransomware through this technique, the results could be “catastrophic.”

Naim said Microsoft is making a mistake in not addressing this issue sooner.

“We got an answer from Microsoft saying that because you are already an administrator on the machine, it’s already compromised. But in this case, it’s the wrong answer,” Naim said. “All of those new security layers weren’t designed to combat administrators or code that runs with administrator rights. This is a problematic answer [from Microsoft].”

CyberArk contends that the weakness is in Microsoft’s implementation of Intel PT, specifically at the point where Intel PT talks to the OS.

“The Intel feature is an API that the kernel code can ask to receive and read information from the CPU. The way that Microsoft implemented this API is the issue we found,” Naim said. “This enabled us to not only read information but enter our code into a secure location in the kernel.”

An attacker interacting at that layer can run code of their choosing and do so quietly without being detected by any number of security technology, CyberArk said.

“It’s very important to say that PatchGuard itself is a very strong mechanism, and the fact is we haven’t seen any rootkits since it was introduced in Windows 10,” Naim said.

CyberArk said it will make enough of its attack public to demonstrate that it’s feasible and enable security vendors to ready patches from their end.

Kaspersky Lab released a statement:

“Kaspersky Lab is aware of the hooking technique described by CyberArk researchers, that allows using Intel processor’s feature to circumvent Windows’ security. As conducting such an attack would require that a hacker is already running code in the kernel, this hooking technique doesn’t significantly extend an attack surface.”

Naim said CyberArk has not seen this type of attack in the wild, but believes nation-states are using it.

“We think attackers are already using it in country- or military-grade malware,” Naim said, adding that by examining research on Flame and Shamoon, nation-states are close to executing against this type of vulnerability.

“We think it’s pretty critical,” Naim said. “The real impact is if an attacker uses it, they can go uncovered for many months before someone will notice something is wrong. If we can take this capability and add it to ransomware, it would be pretty catastrophic. No player will be able to stop them once they are executing code behind PatchGuard. Today ransomware works in user mode because of PatchGuard. If they were able to execute this code behind PatchGuard, it will be a catastrophic effect.”

This article was updated June 22 with a comment from Microsoft and Kaspersky Lab.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.