Untrusted Driver Loaded by Windows Kernel

Attackers may attempt to load untrusted drivers into the Windows kernel to evade defenses. This can be achieved by modifying code signing policies to allow the execution of unsigned or self-signed kernel code. This can be done using various techniques such as disabling driver signature enforcement (DSE) or exploiting vulnerable drivers. Detecting untrusted driver loads is critical because successful execution of malicious kernel code can provide an attacker with extensive control over the system, allowing them to bypass security controls and compromise the integrity of the operating system. This alert specifically excludes known false positives related to HP DOT4 printer drivers.

Attack Chain

1. The attacker gains initial access to the system, potentially through social engineering or exploiting a vulnerability in a user-mode application.
2. The attacker modifies the system’s code signing policies. This may involve disabling driver signature enforcement (DSE) via bcdedit or other methods.
3. The attacker installs a malicious or vulnerable driver onto the system. This driver may be unsigned or self-signed.
4. The attacker leverages a Bring Your Own Vulnerable Driver (BYOVD) technique, exploiting a known vulnerable driver to load their malicious code into the kernel.
5. The system attempts to load the newly installed driver.
6. If code signing policies have been successfully bypassed, the untrusted driver is loaded into the kernel.
7. The malicious driver executes its payload, which could include installing a rootkit, disabling security software, or stealing sensitive data.
8. The attacker maintains persistent access to the compromised system and can perform further malicious activities.

Impact

Successful loading of an untrusted driver can lead to complete system compromise. The attacker gains kernel-level privileges, allowing them to bypass security controls, disable security software, and potentially install rootkits. This can result in data theft, system instability, and further propagation of the attack to other systems on the network. The potential impact ranges from data breaches and financial loss to complete disruption of business operations.

Recommendation

• Deploy the provided Sigma rules to your SIEM to detect untrusted driver loading events (rule titles: “Untrusted Driver Loaded - Process” and “Untrusted Driver Loaded - Image Load”).
• Investigate any alerts generated by these rules, paying close attention to the driver’s code signature status and origin.
• Monitor for modifications to code signing policies using Sysmon registry monitoring (rule title: “Code Signing Policy Modification”).
• Regularly audit and enforce driver signing policies to prevent the loading of unsigned or self-signed drivers.
• Block the known malicious driver hashes identified in the IOCs section.
• Enable Sysmon event ID 6 (Driver Loaded) to collect necessary data for the Sigma rules to function correctly.