Windows Defender ACL Blocking: A Silent Technique With Serious Impact
What matters to defenders (TL;DR) The PoC modifies ACLs to add Deny ACEs against kernel32.dll for targeted service identities. We did observe Windows Security Event IDs 4670 (high fidelity) and 4663 (lower fidelity) as useful pivots for detection. With administrator privileges, the tool changes the Access Control List (ACL) on kernel32.dll to introduce Deny entries for specific service identities. Quick refresher: ACLs, ACEs, and Deny entries An ACL is made up of Access Control Entries (ACEs) that Allow or Deny a user/group/process access to an object (file, registry key, etc.). A Deny ACE is powerful, especially when applied to a foundational library and aimed at a service identity, because it can override otherwise valid permissions. The key is filtering to: Object: kernel32.dll Change type: introduction of Deny ACEs Subject: service SIDs (commonly under S-1-5-80-* ) The annoying part: 4670 gives service SIDs, not service names Event 4670 includes the SID of the affected service identity rather than a friendly service name. However, for Windows services, the SID can be derived deterministically: Take the uppercase service name Encode as UTF-16 (little endian) Compute SHA1 Reformat bytes into the Service SID structure If you know the targeted services (as you do for the PoC defaults), you can precompute the mapping and hunt for those service SIDs directly or generate them on the fly inside KQL. Parsing SDDL to identify Deny ACEs The ACL data in 4670 is represented using SDDL (Security Descriptor Definition Language). Deny entries are uncommon generally, and extremely rare for kernel32.dll , making false positives unlikely in most environments Event 4670 includes both OldSd and NewSd, allowing “diff-like” analysis.
