By-design AV bypass with "dev drive" 😅
I really like this feature!
Update your detection rules if you want to spot this...
And what fsutil devdrv actually does? Here you have it:
1. devdrv enable -> FsEnableDevDrive=1 in CCS\Control\FileSystem
2. disallowAv -> FltmgrDevDriveAllowAntivirusFilter=0 in CCS\Control\FilterManager
3. clearFiltersAllowed -> FsFlags + FsGuid in CCS\Control\FileSystemVolumes\{VOLUME_GUID}
4. trust -> DeviceIoControl(FSCTL_SET_PERSISTENT_VOLUME_STATE, PERSISTENT_VOLUME_STATE_TRUSTED_VOLUME)
And you can enjoy the bypass without even touching fsutil.exe 😎

Short video showing you how to play with application-based conditional ACLs on your own: https://youtu.be/4Lm0UWWa1gY

Conditional ACLs, making the same file allowed for one app, denied for another one... 😮
I guess I know where I will dig during next weeks... 😎

🤔

After some "over lunch reversing" magic by
@x86matthew, I have modified his code a bit, and I am ready to send a byte or two with DeviceIoControl().
If for any reason you want to see my version, it's here: https://github.com/gtworek/PSBits/blob/master/Misc/HttpCommunicationOpenHandle.c

Do you know any piece of code successfully opening \Device\Http\Communication device?
Is "UlOpenPacket000" EA necessary? Something else? I didn't succeed so far, and couple of IOCTLs still waits on my list ;)

New release of VolatileDataCollector has arrived. A LOT more details about DLLs loaded (thank you daem0nc0re for inspiration!), no other changes.
64bit DLLs for now, but WOW support is coming soon :)
Enjoy: https://github.com/gtworek/VolatileDataCollector

Do you like the ​ mark? Here you have it listed next to about 1000 others - https://emojos.in/infosec.exchange?show_all=true&show_animated=true