Bringing your own vulnerable drivers to bypass defenses.

In the world of operating systems, a driver is a specialized type of software that allows the operating system to communicate and interact with a hardware device. Basically, it serves as a translator between the hardware and the software layers of the computer system. Each piece of hardware connected to a your computer, from the simplest peripherals like a mouse or keyboard to more complex components like a graphics card or a network adapter, requires a driver to function properly.

Image: https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/what-is-a-driver-

Keeping drivers up-to-date is not only important for performance reasons, but also for security. Software updates will often include patches for security vulnerabilities that were recently disclosed to the vendor.

Software vulnerabilities are flaws or weaknesses in a software program or system that can be exploited by attackers to gain unauthorized access or cause harm to a system. They can exist in operating systems, applications, embedded systems, and even in hardware components.

After understanding the mechanics of the vulnerability, an attacker will develop an exploit. An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of the vulnerability to cause unintended behavior in the software system. This process is what's called "weaponizing a vulnerability". and could range from gaining control over the system, accessing restricted data, or disrupting normal operations.

The lifecycle of a vulnerability often ends with the software vendors issuing a patch or update to fix the flaw. However, until these patches are applied, systems remain at risk. This situation is often exploited in what is known as a “zero-day” attack, where attackers use the vulnerability before the developers have a chance to address it. Therefore, timely patch management and staying informed about emerging vulnerabilities are crucial aspects of cyber security.

The Bring Your Own Vulnerable Driver (BYOVD) attack is a post-compromise techniques where attackers exploit vulnerabilities in legitimate, often outdated or unpatched, drivers to gain elevated privileges or execute malicious actions on a target system. These are some of the reason why this techniques has gained popularity among attackers in the last year or so:

Elevated Privileges: Drivers typically operate at a high privilege level within an operating system, often at the kernel level. This means that exploiting a driver can provide attackers with deep system access, bypassing standard user-level security controls, and once exploited, attackers can potentially execute code with the same elevated privileges as the driver.
Bypassing Security Measures: Modern operating systems and security solutions have become increasingly effective at detecting and mitigating traditional forms of attacks and malware. However, these security solutions often trust drivers, especially those that are digitally signed by legitimate vendors. Attackers exploit this trust by using legitimate drivers with known vulnerabilities as a means to bypass security measures that would typically flag or block unauthorized activities.
Stealth and Persistence: By exploiting a legitimate driver, attackers can operate more stealthily, reducing the chances of detection. Since drivers are an integral part of the system’s normal operation, malicious activities carried out through a compromised driver can blend in with legitimate system processes. Additionally, drivers are loaded early in the boot process, which can provide attackers with a persistent method of executing their code each time the system starts.
Number of Exploitable Drivers: There are numerous drivers from various hardware vendors that contain exploitable vulnerabilities. Some of these drivers are not actively maintained or updated, leaving known vulnerabilities unpatched. Attackers can take advantage of this vast pool of vulnerable drivers, increasing the chances of finding a suitable one that works with their target systems.

The following demonstration will show how to disable Windows Defender using a BYOVD attack (https://github.com/ZeroMemoryEx/Blackout ). After that, MimiKatz will be used to dump the credentials of the users that have logged into the machine. Since the privileges that the vulnerable driver is running in (the same as Windows Defender), the exploit can be used to disable the Anti-Virus and give a potential attacker unrestricted access to the machine.

In order to perform this attack, the vulnerable driver needs to be present on the target system. An attacker will likely download this driver on the system or have an exploit for driver that is already present maybe a Windows driver. *wink wink*

The other requirements for this particular attack are a terminal session as Administrator, the process ID (PID) of windows defender. The exploit will take the PID of Windows Defender and kill it. It will also prevent Defender from starting up again.

Before the exploit, the PID is gathered. The process name "MsMpEng.exe" is running on process number "2712". The administrator shell is also opened in the directory containing both the vulnerable driver and the weaponized exploit. Windows Defender is currently running and active.

After running the exploit, the privileged process containing Windows Defender is killed and the security service is disabled. This leaves the device vulnerable to further attacks.

An attacker can now easily install and run their offensive tooling and perform further post-exploitation attacks on the device such as gathering hashes with MimiKatz.

References

https://attack.mitre.org/techniques/T1068/
https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/what-is-a-driver-
https://github.com/ZeroMemoryEx/Blackout
https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/

Author: G. Botha