{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/driver-load/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Kernel","Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","driver-load","kernel"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to load untrusted drivers into the Windows kernel to evade defenses. This can be achieved by modifying code signing policies to allow the execution of unsigned or self-signed kernel code. This can be done using various techniques such as disabling driver signature enforcement (DSE) or exploiting vulnerable drivers. Detecting untrusted driver loads is critical because successful execution of malicious kernel code can provide an attacker with extensive control over the system, allowing them to bypass security controls and compromise the integrity of the operating system. This alert specifically excludes known false positives related to HP DOT4 printer drivers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, potentially through social engineering or exploiting a vulnerability in a user-mode application.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the system\u0026rsquo;s code signing policies. This may involve disabling driver signature enforcement (DSE) via \u003ccode\u003ebcdedit\u003c/code\u003e or other methods.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a malicious or vulnerable driver onto the system. This driver may be unsigned or self-signed.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a Bring Your Own Vulnerable Driver (BYOVD) technique, exploiting a known vulnerable driver to load their malicious code into the kernel.\u003c/li\u003e\n\u003cli\u003eThe system attempts to load the newly installed driver.\u003c/li\u003e\n\u003cli\u003eIf code signing policies have been successfully bypassed, the untrusted driver is loaded into the kernel.\u003c/li\u003e\n\u003cli\u003eThe malicious driver executes its payload, which could include installing a rootkit, disabling security software, or stealing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the compromised system and can perform further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful loading of an untrusted driver can lead to complete system compromise. The attacker gains kernel-level privileges, allowing them to bypass security controls, disable security software, and potentially install rootkits. This can result in data theft, system instability, and further propagation of the attack to other systems on the network. The potential impact ranges from data breaches and financial loss to complete disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect untrusted driver loading events (rule titles: \u0026ldquo;Untrusted Driver Loaded - Process\u0026rdquo; and \u0026ldquo;Untrusted Driver Loaded - Image Load\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, paying close attention to the driver\u0026rsquo;s code signature status and origin.\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to code signing policies using Sysmon registry monitoring (rule title: \u0026ldquo;Code Signing Policy Modification\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eRegularly audit and enforce driver signing policies to prevent the loading of unsigned or self-signed drivers.\u003c/li\u003e\n\u003cli\u003eBlock the known malicious driver hashes identified in the IOCs section.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon event ID 6 (Driver Loaded) to collect necessary data for the Sigma rules to function correctly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-untrusted-driver-load/","summary":"An untrusted driver loaded by the Windows kernel may indicate an attempt to bypass code signing policies and execute unsigned or self-signed kernel code, potentially leading to defense evasion.","title":"Untrusted Driver Loaded by Windows Kernel","url":"https://feed.craftedsignal.io/briefs/2024-01-untrusted-driver-load/"}],"language":"en","title":"CraftedSignal Threat Feed — Driver-Load","version":"https://jsonfeed.org/version/1.1"}