These Are The Drivers You Are Looking For: Detect and Prevent Malicious Drivers

Article Excerpt

The Windows kernel driver is an interesting space that falls between persistence and privilege escalation. The origins of a vulnerable driver being used to elevate privileges may have begun in the gaming community as a way to hack or cheat in games, but also has potential beginnings with Stuxnet.

Long Summary

This article provides an overview of the various methods available to defenders for detecting and blocking malicious drivers. It begins by discussing LOLDrivers, a tool that can be used to detect malicious drivers, and then covers methods for blocking malicious drivers, such as using Windows security event logs, DriverQuery inputs, Sysmon EventID 6, and EDR/Application Control products. It also covers Atomic Red Team testing, which can be used to simulate the addition of a service with sc.exe and assess the effectiveness of security controls.

The article also provides a few hunting queries that can be used to detect drivers, such as those from Carbon Black Response and Sysmon. It also provides a screenshot of what a lot of data looks like from EventID 6. Additionally, it covers security content, such as data sources, sc exe manipulating Windows services, Windows driver load non-standard path, Windows drivers loaded by signature, Windows registry certificate added, Windows service create kernel mode driver, and Windows vulnerable driver loaded.

The article acknowledges the contributions of Teoderick Contrera, Michael Haag, Mauricio Velazco, Rod Soto, Jose Hernandez, Patrick Barreiss, Lou Stella, Bhavin Patel and Eric McGinnis. It encourages readers to provide feedback or requests via an issue on GitHub or by joining the Slack channel #security-research. Instructions are provided for those who need an invitation to the Splunk user groups on Slack.

Overall, this article provides a comprehensive overview of the importance of driver inventory practices and security controls for maintaining a strong security posture and protecting against evolving threats. It outlines the use of tools such as the Atomic Red Team project to test security controls and detect malicious drivers. It also provides resources for further learning, such as the latest content about security analytics stories on GitHub and Splunkbase, as well as the release notes on Splunk Docs. It encourages readers to provide feedback or requests and provides instructions for those who need an invitation to the Splunk user groups on Slack.

Short Summary

šŸ““ These Are The Drivers You Are Looking For: Detect and Prevent Malicious Drivers

šŸ‘‰šŸ½ The Windows kernel driver is an interesting space that falls between persistence and privilege escalation. The origins of a vulnerable driver being used to elevate privileges may have begun in the gaming community as a way to hack or cheat in games, but also has potential beginnings with Stuxnet. šŸ‘‰šŸ½ Overview of methods for detecting and blocking malicious drivers šŸ‘‰šŸ½ Discussion of LOLDrivers tool for detecting malicious drivers šŸ‘‰šŸ½ Methods for blocking malicious drivers using Windows security event logs šŸ‘‰šŸ½ Use of DriverQuery inputs and Sysmon EventID 6 for blocking malicious drivers šŸ‘‰šŸ½ EDR/Application Control products for blocking malicious drivers šŸ‘‰šŸ½ Use of Atomic Red Team testing to assess security controls šŸ‘‰šŸ½ Hunting queries for detecting drivers using Carbon Black Response and Sysmon šŸ‘‰šŸ½ Coverage of security content on different driver vulnerabilities and threats šŸ‘‰šŸ½ Acknowledgments of contributors and resources for further learning šŸ‘‰šŸ½ Encouragement for feedback and instructions for joining the Splunk user groups on Slack.

#MaliciousDriverDetection #SecurityControls #AtomicRedTeam #HuntingQueries #DriverInventoryPractices