TeamHood 
Some (EDR) technologies may have a vulnerability in them that gives attackers a way to manipulate the products into erasing virtually any data on installed systems. A security researcher Yasir from safebreach had identified that Microsoft Windows Defender, Windows Defender for Endpoint, TrendMicro ApexOne, Avast Antivirus, AVG Antivirus, and SentinelOne can be turned in to data wipers. The researcher exploited the existing security tools on a targeted system stealthy and wiped the system data without taking privileged access in the system.
Wipers are a special type of destructive malware that purposely erases or corrupts data on compromised systems and attempts to make it so that victims cannot recover the data.
Exploiting the Issue
Yair says that to trigger the issue on vulnerable systems he first created a malicious file — using the permissions of an unprivileged user — so the EDR would detect and attempt to delete the file. He then found a way to force the EDR to postpone deletion until after reboot, by keeping the malicious file open. His next step was to create a C:\TEMP\ directory on the system, make it a junction to a different directory, and rig things so that when the EDR product attempted to delete the malicious file — after reboot — it followed a path to a different file altogether. Yair found he could use the same trick to delete multiple files in different places on a computer by creating one directory shortcut and putting specially crafted paths to targeted files within it, for the EDR product to follow.
As Mimikatz is detected by most EDR platforms, including Microsoft Defender, the plan was for it to be detected as malicious on creation. However, before the EDR could delete the file, the researcher would quickly delete the C:\Temp folder and create a Windows Junction from C:\Temp to C:\Windows.
The hope was that the EDR would attempt to delete the ndis.sys file, which due to the junction, is now pointing to the legitimate C:\Windows\system32\drivers\ndis.sys file.
The solution was to create the malicious file, hold its handle by keeping it open, and not define what other processes are allowed to write/delete it so that EDRs and AVs detecting it can’t wipe it.
After the detection was triggered and having no rights to delete the file, the security tools prompted the researcher to approve a system reboot that would release the handle, freeing the malicious file for deletion.
Yair says that in most cases, organizations can recover deleted files. So, getting an EDR to delete files on a system by itself, while bad, isn’t the worst case. “A deletion is not exactly a wipe,” Yair says. To achieve that, Yair designed Aikido so it would overwrite files it had deleted, making them unrecoverable as well.
