Microsoft Defender ATP Research Team interesting article about inner workings of Windows Defender. Detecting and stopping attacks that tamper with kernel-mode agents at the hypervisor level is a critical component of the unified endpoint protection platform in Microsoft Defender Advanced Threat Protection.
Recently, the Microsoft Defender ATP research team found a malicious system driver enabling a token swap attack that could lead to privilege escalation. In this blog, we’ll share our analysis of the said attack and discuss how Windows Defender Antivirus uses its unique visibility into system behaviors to detect dangerous kernel threats.
The further reading contains:
- Hardware-based root of trust
- Detecting token theft attacks
- Device integrity for broader security
Architecturally, the solution is collectively referred to as the Windows Defender System Guard runtime monitor and consists of the following client-side components:
- The VTL-1 runtime assertion engine itself
- VTL-0 kernel-mode agent
- VTL-0 process we call the ‘broker’ to host the assertion engine
Links to various security resources included. Very insightful!
[Read More]