In February 2021, Microsoft patched a privilege escalation bug in Microsoft Defender Antivirus (formerly Windows Defender) that might provide threat actors with the ability to gain admin rights on the vulnerable host and disable pre-installed security products. SentinelOne experts, who revealed the issue, report that the flaw was introduced back in 2009 and stayed undisclosed for over 12 years.
The problem (CVE-2021-24092) stems from a misconfiguration related to the BTR.sys driver, which works for deleting file system and registry resources associated with the malicious software on the compromised machine. Since the driver does not have a verification link, adversaries can produce a malicious one to overwrite arbitrary files. Consequently, CVE-2021-24092 might be exploited by a local unprivileged hacker in a variety of intrusions that don’t involve user interaction.
Security analysts assume that the vulnerability remained undisclosed for years since the driver is not usually present on the hard drive but activated only in case of need. Despite the flaw being introduced to Windows Defender a long time ago, there is no indication of exploitation in the wild. Still, researchers believe that adversaries would attempt to leverage this security hole against the unpatched users after the public disclosure.
SentinelOne reported the vulnerability to Microsoft Security Response Center in November 2020, and the vendor patched it with the February 9, 2021 release. The last Microsoft Malware Protection Engine version affected by this bug is 1.1.17700.4. The first version that has this issue fixed is 1.1.17800.5. The patch was introduced with the release of Microsoft Malware Protection Engine version 1.1.17800.5, so you are protected in case of having this version (or later) installed.
Notably, the patch for CVE-2021-24092 is installed automatically for all hosts supporting affected Windows Defender versions. Check if you have the Windows Defender updates enabled to proceed with the automatic upgrade. Alternatively, you can apply for the fixes manually for immediate mitigation.
To identify the malicious activity associated with CVE-2021-24092, you can download a dedicated Sigma rule from SOC Prime:
The rule has translations to the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix
EDR: Microsoft Defender ATP, Carbon Black, SentinelOne
Tactics: Privilege Escalation
Techniques: Exploitation for Privilege Escalation (T1068)
Unless you don’t have a paid access to the Threat Detection Marketplace, this Sigma rule can be unlocked by activating your free trial under a community subscription.
Stay tuned to our blog to reach the most relevant detections to the emerging threats. Additional rules related to CVE-2021-24092 would be added to this article.
Sign-up to Threat Detection Marketplace, a world-leading content-as-a-service (CaaS) platform that provides detection, enrichment, integration, and automation algorithms to support security performers while translating big data, logs, and cloud telemetry into cybersecurity signals. You can stream curated SOC content directly to the SIEM, EDR, NSM, and SOAR tools of your choice, boosting threat detection capabilities. Want to craft your own Sigma rules and support the global threat hunting community? Join our Threat Bounty Program!