Full Report
Riot’s “anti-cheat artisan” Phillip Koskinas explains how he and his team go after cheaters and cheat developers to protect the integrity of games, such as Valorant and League of Legends.
Analysis Summary
# Tool/Technique: Vanguard Anti-Cheat (Riot Games)
## Overview
Vanguard is a kernel-level anti-cheat system developed by Riot Games for their popular titles, primarily *League of Legends* and *Valorant*. Its purpose is to combat video game cheating by enforcing high-level operating system security features, monitoring system activity, and ultimately banning cheaters and neutralizing cheat software.
## Technical Details
- Type: Security Tool / Anti-Cheat Framework
- Platform: Windows (implied due to reliance on Windows security features like TPM and Secure Boot)
- Capabilities: Enforces kernel security features, checks driver integrity, prevents kernel-level code execution by cheats, hardware fingerprinting.
- First Seen: N/A (Specific debut date not in text, but associated with *Valorant* launch era).
## MITRE ATT&CK Mapping
*Note: While Vanguard is a defensive tool, its behavior often maps to defensive tactics or overlaps with adversary techniques it seeks to prevent.*
- **TA0005 - Defense Evasion** (Adversary analogue to what Vanguard counters: Defeating defenses)
- T1055 - Process Injection (Vanguard attempts to prevent cheats from injecting code)
- **TA0003 - Persistence** (Adversary analogue related to cheats maintaining presence)
- T1547.001 - Registry Run Keys / Startup Folder (Vanguard runs as a service seemingly at all times)
- **TA0004 - Privilege Escalation** (Adversary analogue/Vanguard's requirement)
- T1068 - Exploitation for Privilege Escalation (Vanguard operates at kernel level to prevent cheats from reaching this level)
## Functionality
### Core Capabilities
- **Kernel-Level Operation:** Runs a service constantly, giving it deep access to the operating system.
- **Security Feature Enforcement:** Almost universally enforces critical Windows security features like Trusted Platform Module (TPM) and Secure Boot to verify machine integrity.
- **Driver Verification:** Checks that all hardware drivers are up-to-date to identify potential cheating enablers.
- **Code Prevention:** Prevents cheats from loading and executing code within the kernel’s memory space.
### Advanced Features
- **Hardware Fingerprinting:** Used to ban cheaters and prevent them from immediately reoffending by linking bans to specific hardware components.
- **Reconnaissance and Infiltration:** The anti-cheat team maintains a reconnaissance arm that infiltrates cheat developer communities using sock puppet identities to obtain and catalog cheats/threats.
- **Psychological Warfare:** Engaging in counter-information operations to discredit cheaters/cheat developers, sometimes by pretending to reverse engineer cheats to gain credibility within development circles.
- **AI Monitoring/Detection Research:** Investigating and preparing defenses against advanced cheating methods utilizing Artificial Intelligence for screen classification and human input emulation.
## Indicators of Compromise
*Note: As Vanguard is an anti-cheat defense system, the indicators provided below relate to its operational requirements or indicators derived from its enforcement actions.*
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators:
- Continuous service running on user machine.
- Elevated privileges required for operation (kernel mode).
- Checking integrity of boot configuration and hardware drivers.
## Associated Threat Actors
- **Cheat Developers/Sellers:** The adversaries directly targeted by Vanguard.
- **Video Game Cheaters:** End-users using unauthorized software that Vanguard seeks to ban.
## Detection Methods
- Signature-based detection: Identifying specific known cheat executables or malicious kernel modules.
- Behavioral detection: Monitoring for unauthorized attempts to load code into kernel memory or tamper with validated drivers/boot settings.
- YARA rules: Not mentioned, but implied for identifying cheat binaries obtained via reconnaissance.
## Mitigation Strategies
- **Kernel Access Justification:** Riot Games justifies the invasive nature by striving for high transparency regarding anti-cheat operations, acknowledging the required high level of access granted by the user.
- **System Hardening Enforcement:** Requiring users to maintain system security standards (e.g., up-to-date drivers, functional TPM/Secure Boot) by blocking access if conditions are not met.
- **Proactive Threat Acquisition:** Actively obtaining and analyzing cheat software before widespread release to develop countermeasures.
## Related Tools/Techniques
- Other kernel-level anti-cheat systems (mentioned generally as a growing trend).
- Techniques mimicking human input (e.g., AI screen classification to avoid detection based on perfect, non-human accuracy).