{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/vulnerable-driver/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["vulnerable-driver","privilege-escalation","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying the installation of vulnerable Windows drivers, a tactic often employed by attackers to achieve persistence or escalate privileges. The technique involves exploiting known weaknesses in legitimate, but outdated or flawed, drivers to gain unauthorized access and control over a system. By monitoring Windows System service install events (EventCode 7045), the detection cross-references loaded drivers against a list of known vulnerable drivers (LoLdrivers). Successful exploitation can lead to arbitrary code execution with elevated privileges, ultimately compromising the entire system and enabling data exfiltration or other malicious activities. This is a Windows Event Log adaptation of the Sysmon driver loaded detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through various means (not specified).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker identifies a vulnerable driver present on the system or deploys one.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDriver Installation:\u003c/strong\u003e The attacker triggers the installation of the vulnerable driver, which is logged as a Windows System Event 7045.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation:\u003c/strong\u003e The attacker leverages the known vulnerabilities within the installed driver to execute arbitrary code in kernel mode.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Control:\u003c/strong\u003e Successful exploitation grants the attacker elevated privileges, allowing them to bypass security restrictions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence by using the exploited driver to maintain a foothold on the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (potential):\u003c/strong\u003e With elevated privileges, the attacker could move laterally within the network to compromise additional systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration / System Damage:\u003c/strong\u003e The attacker executes their final objective, such as exfiltrating sensitive data or causing damage to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of vulnerable drivers can have severe consequences, including complete system compromise, data theft, and the deployment of malware. While specific victim counts are unavailable, the impact can range from individual workstations to entire enterprise networks. Sectors most vulnerable are those with outdated security practices and unpatched systems. The consequences include significant financial losses, reputational damage, and potential regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Windows Event Log System with EventCode 7045, ensuring that \u0026quot;kernel mode driver\u0026quot; service types are being ingested (data_source).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026quot;Detect Vulnerable Driver Installation via Event ID 7045\u0026quot; to identify potentially malicious driver installations (rules).\u003c/li\u003e\n\u003cli\u003eRegularly update the list of known vulnerable drivers (LoLdrivers) used in the detection to maintain accuracy (references).\u003c/li\u003e\n\u003cli\u003eInvestigate any positive matches from the Sigma rule, focusing on the driver's version, signer, and installation path, as indicated by the event logs (search).\u003c/li\u003e\n\u003cli\u003eUse the provided drilldown searches to further investigate the detection results and associated risk events for impacted systems (drilldown_searches).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-vulnerable-driver-load/","summary":"This analytic detects the installation of known vulnerable Windows drivers, potentially indicating persistence or privilege escalation attempts by threat actors exploiting these drivers for elevated privileges and system compromise.","title":"Detection of Vulnerable Windows Driver Installation","url":"https://feed.craftedsignal.io/briefs/2024-01-vulnerable-driver-load/"}],"language":"en","title":"CraftedSignal Threat Feed - Vulnerable-Driver","version":"https://jsonfeed.org/version/1.1"}