[Information] Microsoft banned Microsoft SysInternals Process Explorer driver #56
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
It took them 10+ years and about 4 different APT usages (which I can count/remember) to figure out that something is wrong with it.
Recent update of WDAC blocklist now include block of all Process Explorer drivers with version <=16.x. Since this driver is used in KDU as well (as victim shellcode placeholder/target) this change will also affect KDU.
New 17.x Process Explorer driver bring the following "security" improvements:
First, in IOCTL callable routine responsible for openning handle for given process it now checks whatever this process you want to open is "protected" (PsIsProtectedProcess) and if it is - then sets access flags to PROCESS_QUERY_LIMITED_INFORMATION.
Second, the routine involving ZwDuplicateObject also got similar update not allowing you to duplicate handles of protected processes or PsInitialSystemProcess.
The text was updated successfully, but these errors were encountered: