CIGslip Lets Attackers Bypass Microsoft Code Integrity Guard

  /     /     /  
Publicated : 22/11/2024   Category : security


CIGslip Lets Attackers Bypass Microsoft Code Integrity Guard


The new technique would enable attackers to inject malicious content into Microsoft Edge and other protected processes.



A new attack method lets attackers bypass Microsofts Code Integrity Guard (CIG) and inject malicious code into protected processes, including Microsoft Edge. Researchers at Morphisec this week disclosed the details of the technique and proof-of-concept code.
CIG is a
mitigation
that was first introduced in Windows 10 in 2015, and later became part of Device Guard. It restricts loaded images to those signed by Microsoft, WQL, and in some cases, the Microsoft Store. The biggest benefit of CIG, researchers report, is it stops unauthorized code loading from adware and malware that has already infected the system. If an app is protected with CIG, its protected from other compromised parts of the same machine.
This technique, dubbed CIGslip, was discovered by researchers learning how to protect the Edge browser, explains Michael Gorelik, CTO and vice president of R&D at Morphisec. The team wanted to see how they would test their protect and load DLL without the process of signing. Edge is protected by CIG, as are several processes in the latest version of Windows 10.
CIGslip bypasses CIGs security mechanisms while mimicking natural Windows DLL loading from the disk. The technique abuses a non-CIG enabled process, the most popular form of process on Windows, to inject code into a CIG-protected target process. This serves as an entry point for an attacker to load any kind of code, malicious or benign, into Microsoft Edge.
We found this very easy technique … Im really surprised no one uses it, Gorelik says. This technique allowed us to load any DLL we wanted, any model we wanted, into any protected CIG process without triggering any alert notification.
CIGslip could have serious destructive potential if it gains popularity among cybercriminals, Gorelik writes in a
blog post
. Windows users are vulnerable in several ways, he reports, and businesses running Windows machines should understand the potential damage.
We do see CIG as a very important concept that blocked a major amount of adversaries and malware that tried to inject into the Edge browser, says Gorelik. Attackers could bypass CIG to steal passwords or browser history, or affect processes running outside Edge.
With this technique I can download the same adware and malware and load it into the Edge browser, or any other process, he explains.
The CIGslip method is sneaky. You dont know youre attacked unless youre monitoring and okaying every single process in the system, Gorelik continues. You definitely need to do strict detection for this.
Morphisec approached Microsoft with its findings because we considered it a very critical and serious vulnerability, says Gorelik. Microsoft claims CIGslip is outside the scope of CIG, he explains, and the company explains its reasoning for this in its
bounty terms
. While this doesnt mean Microsoft will never address the problem, it also wont prioritize it.
Microsoft reports CIG was not designed to protect against the scenario Morphisec researchers are describing, and a different tool was created to defend machines from this type of attack.
Our security feature known as Windows Defender Application Control (WDAC) protects our customers against the technique described, a spokesperson says. The Code Integrity Guard (CIG) feature was not designed to address this scenario.
The biggest implication, according to Morphisec, is attackers could use CIGslip to inject browser malware or adware. However, there is also potential for vendors to manipulate this method. CIG makes it harder for third-party security vendors to protect Edge because they need a DLL signed by Microsoft for each protective process. Some might inject protective code outside Microsofts signing process.
Related Content:
Cybersecurity Gets Added to the M&A Lexicon
How Guccifer 2.0 Got Punkd by a Security Researcher
Researchers Defeat Android OEMs Security Mitigations
Privilege Abuse Attacks: 4 Common Scenarios
 
 
 
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the
conference
 and
to register.

Last News

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CIGslip Lets Attackers Bypass Microsoft Code Integrity Guard