Infiltr8ForumGitHub

Bring Your Own Vulnerable Driver (BYOVD)

MITRE ATT&CK™ Exploitation for Privilege Escalation - Technique T1068

Theory

As a security mechanism, Windows by default employs a feature called Driver Signature Enforcement that ensures kernel-mode drivers have been signed by a valid code signing authority before Windows will permit them to run.

However, we may bring a signed vulnerable driver onto a compromised machine so that we can exploit the vulnerability to execute code in kernel mode.

That technique requires administrative privileges on the target.

Practice

Killing AV/EDDR

Gaining kernel-mode access through vulnerable drivers exploit enables a Windows Kernel-Mode Code Integrity (KMCI) bypass, allowing the termination of Protected Process Light (PPL) processes, such as EDR or AV tools.

Backstab is a tool capable of killing antimalware protected processes by leveraging sysinternals’ Process Explorer driver (procexp.sys).

# -n,	Choose process by name, including the .exe suffix
# -p, 	Choose process by PID
# -l, 	List handles of protected process
# -k, 	Kill the protected process by closing its handles
# -x, 	Close a specific handle
# -d, 	Specify path to where ProcExp will be extracted
# -s, 	Specify service name registry key
# -u, 	Unload ProcExp driver
# -a,	adds SeDebugPrivilege

#Examples:
#Kill cyserver
backstab.exe -n cyserver.exe -k

#Close handle E4C of cyserver
backstab.exe -n cyserver.exe -x E4C

#List all handles of cyserver
backstab.exe -n cyserver.exe -l

#Kill protected process with PID 4326, extract ProcExp driver to C:\ drive
backstab.exe -p 4326 -k -d c:\\driver.sys

Windows Filtering Platform (WPF) Callout Driver

A callout driver implements one or more callouts. Callouts extend the capabilities of the Windows Filtering Platform by processing TCP/IP-based network data in ways that are beyond the scope of the simple filtering functionality. By exploiting such driver we can block outbound traffic from EDR processes.

EDRPrison leverages a legitimate WFP callout driver, WinDivert, to effectively silence EDR systems. This project focuses on network-based evasion techniques. 

EDRPrison.exe

Kernel Object Tampering

EDRSandblast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Usage: EDRSandblast.exe [-h | --help] [-v | --verbose] <audit | dump | cmd | credguard | firewall | load_unsigned_driver>
[--usermode] [--unhook-method <N>] [--direct-syscalls] [--add-dll <dll name or path>]*
[--kernelmode] [--dont-unload-driver] [--no-restore]
    [--nt-offsets <NtoskrnlOffsets.csv>] [--fltmgr-offsets <FltmgrOffsets.csv>] [--wdigest-offsets <WdigestOffsets.csv>] [--ci-offsets <CiOffsets.csv>] [--internet]
    [--vuln-driver <RTCore64.sys>] [--vuln-service <SERVICE_NAME>]
    [--unsigned-driver <evil.sys>] [--unsigned-service <SERVICE_NAME>]
    [--no-kdp]
[-o | --dump-output <DUMP_FILE>]

Hijacking Valid Drivers

The technique will not work on HVCI systems due to the impossibility to change the LSTAR pointers if protected by the Hyper-V

DriverJack is a tool designed to load a vulnerable driver by abusing lesser-known NTFS techniques. These method bypass the registration of a Driver Service on the system by hijacking an existing service, and also spoof the image path presented in the Driver Load event. To further masquerade the presence of a vulnerable driver, the attack also abuses an Emulated Filesystem Read-Only bypass to swap the content of a driver file on a mounted ISO before loading it.

DriverJack.exe

Resources

LogoKasseika Ransomware Deploys BYOVD Attacks Abuses PsExec and Exploits Martini DriverTrend Micro

Last updated