The most dangerous drivers for Windows

Drivers are an integral part of the operating system, but the vulnerabilities associated with them are often underestimated. Windows very easily loads almost any driver into the kernel level: signed/unsigned, old/new. If malicious code is distributed in this way, it is difficult to detect.

Older 32-bit drivers usually came without a digital signature. But even the introduction of a mandatory signature did not completely solve the problem. First, attackers can use stolen certificates. Secondly, they use officially certified drivers from trusted publishers for their purposes: Lenovo, ASRock, Asustek, Dell, etc. Such “Trojan” drivers are present on many computers, but antiviruses do not consider them a threat.


Attack through the driver

Symantec researchers discovered a backdoor last year

Daxin

which is supposedly developed by one of the foreign intelligence agencies for espionage (possibly by Chinese specialists).

Daxin is specifically designed to penetrate well-protected networks where antiviruses and firewalls operate. Therefore, it was distributed under the guise of a Windows driver. This allowed him to successfully hide for a long time. According to the researchers, Daxin has long and successfully worked in the corporate networks of Western agencies, collecting information for foreign customers.

Symantec researchers compared Daxin to a highly advanced backdoor Regin sample of 2014, which also penetrated the OS kernel level and unloaded its working binaries as Windows drivers:

Driver monitoring allows you to detect potential threats at an early stage, which makes it possible to take prompt measures to eliminate vulnerabilities, remove malicious drivers and minimize the risk of exploitation.

LOLDrivers

Project

LOLDrivers

(Living Off The Land Drivers) aims to bring together as many vulnerable and malicious Windows drivers from official publishers as possible in one place, opening this information to everyone. This is a very valuable resource that helps organizations better understand and mitigate the security risks associated with drivers.

The main page contains a list of drivers with the date they were added to the catalog. There is also a filter for a more convenient search for specific file names. For each driver, there is a link to security bulletin with a description of the attack that is possible through this driver (usually we are talking about privilege escalation for the subsequent launch of malicious code from another file),

The list can be obtained via the API in the formats csv And JSON. To detect vulnerable drivers by hash, a config for sysmon and sigma-rule for corporate SIEM systems.

  • Examples of vulnerable drivers (with unintentional bugs in the code that allow the exploitation of vulnerabilities: capcom.sys And asrdrv10.sys.

  • Examples of malicious drivers that are specifically designed for Daxin-style targeted attacks: gtfkyj64.sys And wantd.sys.

Related projects:

  • LOLBAS (Living Off The Land Binaries, Scripts and Libraries), a list of dangerous binaries, scripts and libraries for Windows. For each, the official functionality and vectors of possible attacks are indicated, that is, how malefactors can use this binary.

  • GTFOBins: A list of 375 Unix binaries that can be used to bypass local security restrictions on misconfigured systems.

Lists of vulnerable Windows drivers are also valuable information for attackers themselves to find a way to break into a protected system. But it is hoped that the work of researchers to compile a catalog of potential threats will do more good than harm.

Driver Signature Verification

To check the signature of files under Windows and view the chain of certificates, it is recommended to use the command line utility

sigcheck

. It also supports checking for a file in a directory

VirusTotal

which combines information from 40 virus scanners, with the option to download a file for verification.

For example, searching for all unsigned files in a directory \Windows\System32 is executed by the following command:

sigcheck -u -e c:\windows\system32

Sigcheck shows certificate and publisher information for each driver:

In the PowerShell console you can see details about the drivers using the command Get-ItemProperty:

Get-ItemProperty -Path C:\Users\Administrator\Desktop\5400414768496640\* | Format-list -Property VersionInfo

Result:

VersionInfo : File: \06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4
InternalName: wantd.sys
OriginalFilename: wantd.sys
FileVersion: 6.1.7600.1172
FileDescription: WAN Transport Driver
Product: Microsoft Windows Operating System
ProductVersion: 6.1.7600.1172
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language: English (United States)



… и т. д.

Information about certificates:

Get-AuthenticodeSignature -FilePath .\Desktop\5400414768496640\*

Result:

SignerCertificate Status Path
----------------- ------ ----
84E01D467068826892F41AF4A48D5493BABE62E9 UnknownError 06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4
84E01D467068826892F41AF4A48D5493BABE62E9 UnknownError 0f82947b2429063734c46c34fb03b4fa31050e49c27af15283d335ea22fe0555
84E01D467068826892F41AF4A48D5493BABE62E9 HashMismatch 3e7724cb963ad5872af9cfb93d01abf7cd9b07f47773360ad0501592848992f4
84E01D467068826892F41AF4A48D5493BABE62E9 Valid 49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530
C61A221389C98EE2FBC0E57A62DEE5A915E6C509 UnknownError 5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae
C61A221389C98EE2FBC0E57A62DEE5A915E6C509 UnknownError 5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a
84E01D467068826892F41AF4A48D5493BABE62E9 Valid 6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f
NotSigned 7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376
NotSigned 81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1
84E01D467068826892F41AF4A48D5493BABE62E9 HashMismatch 8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce
NotSigned 8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e
NotSigned 96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc
NotSigned 9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51
84E01D467068826892F41AF4A48D5493BABE62E9 UnknownError b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427
84E01D467068826892F41AF4A48D5493BABE62E9 HashMismatch b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3
NotSigned c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c
NotSigned e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217
84E01D467068826892F41AF4A48D5493BABE62E9 HashMismatch

Certificate status:

Get-ChildItem C:\Users\Administrator\Desktop\5400414768496640\* | Get-AuthenticodeSignature | ` Select-Object -Property Path,ISOSBinary,SignatureType,Status,StatusMessage | ` Export-CSV C:\temp\Signature.csv -NoTypeInformation

Result:

"Path","IsOSBinary","SignatureType","Status","StatusMessage"
"C:\Users\Administrator\Desktop\5400414768496640\06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4","False","Authenticode","UnknownError","A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file"
"C:\Users\Administrator\Desktop\5400414768496640\0f82947b2429063734c46c34fb03b4fa31050e49c27af15283d335ea22fe0555","False","Authenticode","UnknownError","A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file"
"C:\Users\Administrator\Desktop\5400414768496640\3e7724cb963ad5872af9cfb93d01abf7cd9b07f47773360ad0501592848992f4","False","Authenticode","HashMismatch","The contents of file C:\Users\Administrator\Desktop\5400414768496640\3e7724cb963ad5872af9cfb93d01abf7cd9b07f47773360ad0501592848992f4 might have been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature. The script cannot run on the specified system. For more information, run Get-Help about_Signing."
"C:\Users\Administrator\Desktop\5400414768496640\49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530","False","Authenticode","Valid","Signature verified."
"C:\Users\Administrator\Desktop\5400414768496640\5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae","False","Authenticode","UnknownError","A certificate was explicitly revoked by its issuer"
"C:\Users\Administrator\Desktop\5400414768496640\5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a","False","Authenticode","UnknownError","A certificate was explicitly revoked by its issuer"
"C:\Users\Administrator\Desktop\5400414768496640\6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f","False","Authenticode","Valid","Signature verified."
"C:\Users\Administrator\Desktop\5400414768496640\7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376","False","None","NotSigned","The file C:\Users\Administrator\Desktop\5400414768496640\7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376 is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170"
"C:\Users\Administrator\Desktop\5400414768496640\81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1","False","None","NotSigned","The file C:\Users\Administrator\Desktop\5400414768496640\81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1 is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170"
"C:\Users\Administrator\Desktop\5400414768496640\8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce","False","Authenticode","HashMismatch","The contents of file C:\Users\Administrator\Desktop\5400414768496640\8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce might have been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature. The script cannot run on the specified system. For more information, run Get-Help about_Signing."
"C:\Users\Administrator\Desktop\5400414768496640\8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e","False","None","NotSigned","The file C:\Users\Administrator\Desktop\5400414768496640\8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170"
"C:\Users\Administrator\Desktop\5400414768496640\96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc","False","None","NotSigned","The file C:\Users\Administrator\Desktop\5400414768496640\96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170"
"C:\Users\Administrator\Desktop\5400414768496640\9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51","False","None","NotSigned","The file C:\Users\Administrator\Desktop\5400414768496640\9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51 is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170"
"C:\Users\Administrator\Desktop\5400414768496640\b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427","False","Authenticode","UnknownError","A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file"
"C:\Users\Administrator\Desktop\5400414768496640\b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3","False","Authenticode","HashMismatch","The contents of file C:\Users\Administrator\Desktop\5400414768496640\b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3 might have been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature. The script cannot run on the specified system. For more information, run Get-Help about_Signing."
"C:\Users\Administrator\Desktop\5400414768496640\c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c","False","None","NotSigned","The file C:\Users\Administrator\Desktop\5400414768496640\c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170"
"C:\Users\Administrator\Desktop\5400414768496640\e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217","False","None","NotSigned","The file C:\Users\Administrator\Desktop\5400414768496640\e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217 is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170"
"C:\Users\Administrator\Desktop\5400414768496640\e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e","False","Authenticode","HashMismatch","The contents of file C:\Users\Administrator\Desktop\5400414768496640\e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e might have been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature. The script cannot run on the specified system. For more information, run Get-Help about_Signing."

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *