From ca0d60cb042c6a46afee2297ac2715092917670f Mon Sep 17 00:00:00 2001
From: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com>
Date: Wed, 11 Sep 2024 15:25:43 -0400
Subject: [PATCH] [Defend] Identify and exclude 24H2+ hotpatch extension pages
 from stomp detection (#192490)

## Release Note
Defend 8.15.2 will improve support for [Windows call stack module stomp
detection](https://www.elastic.co/security-labs/upping-the-ante-detecting-in-memory-threats-with-kernel-call-stacks)
in Windows 11 24H2.

## Description
Windows 11 24H2 adds hotpatch support, a great feature that enables the
installation of many security updates without a system reboot. To
implement hotpatching, Microsoft is changing the layout of executable
images in memory, appending new "extension pages" to the end of every
hotpatchable mapped image in memory. These pages are
`PAGE_EXECUTE_READ`.


![image](https://github.com/user-attachments/assets/41bb960e-21ff-4c63-a250-81e303506ad8)

Microsoft describes the change in some detail
[here](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/hotpatching-on-windows/ba-p/2959541).
Here's a [third-party analysis of the
change](https://ynwarcs.github.io/Win11-24H2-CFG) showing how it breaks
x64debug.


![image](https://github.com/user-attachments/assets/3bea1aa5-8c5a-4c27-bf74-9e92833cdc7a)

Unfortunately, this change affects our module stomp detection feature,
which views these executable pages as patched/stomped. We are fixing
this in 8.15.2. This PR lets users opt out of the change, reverting to
the old behavior.

### Checklist

Delete any items that are not applicable to this PR.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---
 .../pages/policy/models/advanced_policy_schema.ts     | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts b/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
index 7b2adc6e5b36f..5cefd39ace739 100644
--- a/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
+++ b/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
@@ -1296,6 +1296,17 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       }
     ),
   },
+  {
+    key: 'windows.advanced.events.callstacks.exclude_hotpatch_extension_pages',
+    first_supported_version: '8.15.2',
+    documentation: i18n.translate(
+      'xpack.securitySolution.endpoint.policy.advanced.windows.advanced.events.callstacks.exclude_hotpatch_extension_pages',
+      {
+        defaultMessage:
+          'Exclude Windows 11 24H2 hotpatch extension pages, which resemble injected code, from callstack module stomp scanning.  Default: true',
+      }
+    ),
+  },
   {
     key: 'windows.advanced.events.process_ancestry_length',
     first_supported_version: '8.15',