property | value |
tags | driver-exploit,threat-hunting |
url | |
original_word_count | 3803 |
Article Excerpt
The Windows kernel driver is an interesting space that falls between persistence and privilege escalation. The origins of a vulnerable driver being used to elevate privileges may have begun in the gaming community as a way to hack or cheat in games, but also has potential beginnings with Stuxnet.
Long Summary
This article provides an overview of the various methods available to defenders for detecting and blocking malicious drivers. It begins by discussing LOLDrivers, a tool that can be used to detect malicious drivers, and then covers methods for blocking malicious drivers, such as using Windows security event logs, DriverQuery inputs, Sysmon EventID 6, and EDR/Application Control products. It also covers Atomic Red Team testing, which can be used to simulate the addition of a service with sc.exe and assess the effectiveness of security controls.
The article also provides a few hunting queries that can be used to detect drivers, such as those from Carbon Black Response and Sysmon. It also provides a screenshot of what a lot of data looks like from EventID 6. Additionally, it covers security content, such as data sources, sc exe manipulating Windows services, Windows driver load non-standard path, Windows drivers loaded by signature, Windows registry certificate added, Windows service create kernel mode driver, and Windows vulnerable driver loaded.
The article acknowledges the contributions of Teoderick Contrera, Michael Haag, Mauricio Velazco, Rod Soto, Jose Hernandez, Patrick Barreiss, Lou Stella, Bhavin Patel and Eric McGinnis. It encourages readers to provide feedback or requests via an issue on GitHub or by joining the Slack channel #security-research. Instructions are provided for those who need an invitation to the Splunk user groups on Slack.
Overall, this article provides a comprehensive overview of the importance of driver inventory practices and security controls for maintaining a strong security posture and protecting against evolving threats. It outlines the use of tools such as the Atomic Red Team project to test security controls and detect malicious drivers. It also provides resources for further learning, such as the latest content about security analytics stories on GitHub and Splunkbase, as well as the release notes on Splunk Docs. It encourages readers to provide feedback or requests and provides instructions for those who need an invitation to the Splunk user groups on Slack.
Short Summary
š These Are The Drivers You Are Looking For: Detect and Prevent Malicious Drivers
šš½ The Windows kernel driver is an interesting space that falls between persistence and privilege escalation. The origins of a vulnerable driver being used to elevate privileges may have begun in the gaming community as a way to hack or cheat in games, but also has potential beginnings with Stuxnet. šš½ Overview of methods for detecting and blocking malicious drivers šš½ Discussion of LOLDrivers tool for detecting malicious drivers šš½ Methods for blocking malicious drivers using Windows security event logs šš½ Use of DriverQuery inputs and Sysmon EventID 6 for blocking malicious drivers šš½ EDR/Application Control products for blocking malicious drivers šš½ Use of Atomic Red Team testing to assess security controls šš½ Hunting queries for detecting drivers using Carbon Black Response and Sysmon šš½ Coverage of security content on different driver vulnerabilities and threats šš½ Acknowledgments of contributors and resources for further learning šš½ Encouragement for feedback and instructions for joining the Splunk user groups on Slack.
š source link: https://www.splunk.com/en_us/blog/security/these-are-the-drivers-you-are-looking-for-detect-and-prevent-malicious-drivers.html
š summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/these-are-the-drivers-you-are-looking-for-detect-and-prevent-malicious-drivers
#MaliciousDriverDetection #SecurityControls #AtomicRedTeam #HuntingQueries #DriverInventoryPractices