[Information] Microsoft banned Microsoft SysInternals Process Explorer driver
hfiref0x opened this issue · 0 comments
It took them 10+ years and about 4 different APT usages (which I can count/remember) to figure out that something is wrong with it.
Recent update of WDAC blocklist now include block of all Process Explorer drivers with version <=16.x. Since this driver is used in KDU as well (as victim shellcode placeholder/target) this change will also affect KDU.
New 17.x Process Explorer driver bring the following "security" improvements:
First, in IOCTL callable routine responsible for openning handle for given process it now checks whatever this process you want to open is "protected" (PsIsProtectedProcess) and if it is - then sets access flags to PROCESS_QUERY_LIMITED_INFORMATION.
Second, the routine involving ZwDuplicateObject also got similar update not allowing you to duplicate handles of protected processes or PsInitialSystemProcess.