The Windows kernel driver is an interesting space that falls between persistence and privilege escalation. The origins of a vulnerable driver being used to elevate privileges may have begun in the gaming community as a way to hack or cheat in games, but also has potential beginnings with Stuxnet.
This article provides an overview of the various methods available to defenders for detecting and blocking malicious drivers. It begins by discussing LOLDrivers, a tool that can be used to detect malicious drivers, and then covers methods for blocking malicious drivers, such as using Windows security event logs, DriverQuery inputs, Sysmon EventID 6, and EDR/Application Control products. It also covers Atomic Red Team testing, which can be used to simulate the addition of a service with sc.exe and assess the effectiveness of security controls.
The article also provides a few hunting queries that can be used to detect drivers, such as those from Carbon Black Response and Sysmon. It also provides a screenshot of what a lot of data looks like from EventID 6. Additionally, it covers security content, such as data sources, sc exe manipulating Windows services, Windows driver load non-standard path, Windows drivers loaded by signature, Windows registry certificate added, Windows service create kernel mode driver, and Windows vulnerable driver loaded.
The article acknowledges the contributions of Teoderick Contrera, Michael Haag, Mauricio Velazco, Rod Soto, Jose Hernandez, Patrick Barreiss, Lou Stella, Bhavin Patel and Eric McGinnis. It encourages readers to provide feedback or requests via an issue on GitHub or by joining the Slack channel #security-research. Instructions are provided for those who need an invitation to the Splunk user groups on Slack.
Overall, this article provides a comprehensive overview of the importance of driver inventory practices and security controls for maintaining a strong security posture and protecting against evolving threats. It outlines the use of tools such as the Atomic Red Team project to test security controls and detect malicious drivers. It also provides resources for further learning, such as the latest content about security analytics stories on GitHub and Splunkbase, as well as the release notes on Splunk Docs. It encourages readers to provide feedback or requests and provides instructions for those who need an invitation to the Splunk user groups on Slack.
📓 These Are The Drivers You Are Looking For: Detect and Prevent Malicious Drivers
👉🏽 The Windows kernel driver is an interesting space that falls between persistence and privilege escalation. The origins of a vulnerable driver being used to elevate privileges may have begun in the gaming community as a way to hack or cheat in games, but also has potential beginnings with Stuxnet. 👉🏽 Overview of methods for detecting and blocking malicious drivers 👉🏽 Discussion of LOLDrivers tool for detecting malicious drivers 👉🏽 Methods for blocking malicious drivers using Windows security event logs 👉🏽 Use of DriverQuery inputs and Sysmon EventID 6 for blocking malicious drivers 👉🏽 EDR/Application Control products for blocking malicious drivers 👉🏽 Use of Atomic Red Team testing to assess security controls 👉🏽 Hunting queries for detecting drivers using Carbon Black Response and Sysmon 👉🏽 Coverage of security content on different driver vulnerabilities and threats 👉🏽 Acknowledgments of contributors and resources for further learning 👉🏽 Encouragement for feedback and instructions for joining the Splunk user groups on Slack.
#MaliciousDriverDetection #SecurityControls #AtomicRedTeam #HuntingQueries #DriverInventoryPractices