Phantom Killer: EDR evasion via Lenovo driver

Researcher Jehad Abu Dagga from e& UAE (etisalat and) reverse-engineered the BootRepair.sys driver used by Lenovo PC Manager and uncovered critical security flaws that can be abused: 📌 The device \Device\BootRepair created by the driver has no defined DACL, allowing any low-privileged user to interact with it. 📌 The IOCTL dispatcher doesn't verify permissions when invoking the process termination function (sub_14000198C) 📌 A symbolic link \DosDevices\BootRepair is created in user space, allowing direct access to the device from user space.

⚠️ The developed PoC can terminate any process by specifying its PID.

🥷 Key advantage for an attacker: the driver is legitimate and signed by Lenovo, allowing it to bypass Driver Signature Enforcement (DSE) checks.

🎯 Attack scenarios: ✅ If the driver is already loaded on the system: any low-privileged user can access it without restrictions and terminate any process, including EDR/AV. ✅ If the driver isn't loaded: an attacker can load the trusted, signed driver (Bring Your Own Vulnerable Driver — BYOVD attack) and then use it to kill protected processes.

📎Article: https://medium.com/@jehadbudagga/phantom-killer-reverse-engineering-and-weaponizing-a-lenovo-driver-to-terminate-edr-processes-9191cd06374f 🦠PoC: https://github.com/redteamfortress/PhantomKiller, https://git.redteamfortress.com/j3h4ck/PhantomKiller

💬 Discuss