www.rapid7.com
Open in
urlscan Pro
18.173.219.83
Public Scan
URL:
https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
Submission: On September 18 via api from US — Scanned from CA
Submission: On September 18 via api from US — Scanned from CA
Form analysis 6 forms found in the DOM
/search
<form action="/search">
<div class="container flex flex-jc-c flex-ai-c">
<div class="search-content flex flex-jc-fs flex-ai-c"><i class="r7-icon r7-icon-search-magnify"></i><input type="search" class="search-input" name="q" placeholder="Search"><input type="submit" class="search-submit button blue"
value="Search"><a id="btnSearchCloseMobile" class="search-close"><i class="r7-icon r7-icon-delete-x"></i></a></div>
</div>
</form>/search
<form action="/search" class="search-content flex flex-jc-c flex-ai-c"><i class="r7-icon r7-icon-search-magnify"></i><input type="search" class="search-input" name="q" autocomplete="off" placeholder="Search"><input type="submit"
class="search-submit button blue" value="Search"><a class="search-close"><i class="r7-icon r7-icon-delete-x"></i></a></form>/search/
<form action="/search/">
<label for="search" class="sr-only">Search</label>
<input class="sb-search-input" placeholder="Search all the things" type="search" value="" name="q" id="search">
<input class="sb-search-submit" type="submit" value="Submit Search" alt="Search all the things">
</form><form id="contactModal" class="formBlock freemail mkto contactModal" data-block-name="Contact Form Block">
<div id="intro">
<div id="thankyouText" style="display:none;" class="messageBox green">
<h4><span class="success">Success!</span> Thank you for submission. We will be in touch shortly.</h4>
</div>
<div id="errorText" style="display:none;" class="messageBox red">
<h4><span class="error">Oops!</span> There was a problem in submission. Please try again.</h4>
</div>
<div>
<h2>Contact Us</h2>
</div>
</div>
<fieldset>
<p id="fieldInstruction" class="instructions">All fields are mandatory</p>
<dl class="dl-1">
<dd>
<label for="firstName">First Name</label>
<input id="firstName" type="text" name="firstName" autocomplete="given-name" tabindex="1">
</dd>
</dl>
<dl class="dl-2">
<dd>
<label for="lastName">Last Name</label>
<input id="lastName" type="text" name="lastName" autocomplete="family-name" tabindex="2">
</dd>
</dl>
<dl class="dl-3">
<dd>
<label for="jobTitle">Job Title</label>
<input id="jobTitle" type="text" name="jobTitle" autocomplete="organization-title" tabindex="3">
</dd>
</dl>
<dl class="dl-4">
<dd>
<label for="jobLevel">Job Level</label>
<select name="jobLevel" id="jobLevel" class="normalSelect dropdownSelect" tabindex="4">
<option value="0" class="left_opt_pad">Job Level</option>
<option value="Analyst" class="left_opt_pad">Analyst</option>
<option value="System/Security Admin" class="left_opt_pad">System/Security Admin</option>
<option value="Manager" class="left_opt_pad">Manager</option>
<option value="Director" class="left_opt_pad">Director</option>
<option value="VP" class="left_opt_pad">VP</option>
<option value="CxO" class="left_opt_pad">CxO</option>
<option value="Student" class="left_opt_pad">Student</option>
<option value="Other" class="left_opt_pad">Other</option>
</select>
</dd>
</dl>
<dl class="dl-5">
<dd>
<label for="companyName">Company</label>
<input id="companyName" type="text" name="companyName" autocomplete="organization" tabindex="5">
</dd>
</dl>
<dl class="dl-6">
<dd>
<label for="email">Email</label>
<input id="email" type="text" name="email" autocomplete="email" tabindex="6">
</dd>
</dl>
<dl class="dl-7">
<dd>
<div class="intl-phone">
<label for="phone">Phone</label>
<div class="flag-container">
<div class="selected-flag">
<div class="iti-flag"></div>
</div>
<ul class="country-list"></ul>
</div>
<input id="phone" type="text" name="phone" autocomplete="tel-national" tabindex="7">
</div>
</dd>
</dl>
<dl class="dl-8">
<dd>
<label for="country">Country</label>
<select name="country" id="country" class="form_SelectInstruction normalSelect" onchange="updateCountryData('#contactModal');" tabindex="8"></select>
</dd>
</dl>
<dl class="dl-9">
<dd>
<label for="state">State</label>
<select name="state" id="state" class="form_SelectInstruction normalSelect dropdownSelect" tabindex="9"></select>
</dd>
</dl>
<dl class="clearfix expand dl-10">
<dd>
<label for="contactType">Reason for Contact</label>
<select name="contactType" id="contactType" class="normalSelect dropdownSelect" tabindex="10">
<option value="0" class="left_opt_pad">- Select -</option>
<option value="20437" data-subopts="20437|Request a Demo;20438|Get Pricing Info;20439|General" class="left_opt_pad">I'd like to learn more about vulnerability management</option>
<option value="20440" data-subopts="20440|Request a Demo;20441|Get Pricing Info;20442|General" class="left_opt_pad">I'd like to learn more about application security</option>
<option value="20443" data-subopts="20443|Request a Demo;20444|Get Pricing Info;20445|General" class="left_opt_pad">I'd like to learn more about incident detection and response</option>
<option value="20433" data-subopts="20433|Request a Demo;20446|Get Pricing Info;20447|General" class="left_opt_pad">I'd like to learn more about cloud security</option>
<option value="20448" data-subopts="" class="left_opt_pad">I'd like to learn more about Rapid7 professional or managed services</option>
<option value="20450" data-subopts="" class="left_opt_pad">I'd like to learn more about visibility, analytics, and automation</option>
<option value="20434" data-subopts="20434|Request a Demo;20435|Get Pricing Info;20436|General" class="left_opt_pad">I'd like to learn more about building a comprehensive security program</option>
<option value="21019" data-subopts="21019|Request a demo;21021|Get Pricing Info;21020|General" class="left_opt_pad">I'd like to learn more about threat intelligence.</option>
</select>
</dd>
</dl>
<dl class="clearfix expand dl-11" id="contactTypeSecondaryParent" style="display:none;">
<dd>
<label for="contactTypeSecondary" class="sr-only">- Select -</label>
<label for="Reason">Reason for Contact</label><select name="contactTypeSecondary" id="contactTypeSecondary" class="normalSelect dropdownSelect" tabindex="11">
<option value="0" class="left_opt_pad">- Select -</option>
</select>
</dd>
</dl>
<dl class="clearfix expand hide dl-12" id="howDidYouHearParent">
<dd>
<label for="howDidYouHear">How did you hear about us?</label>
<input id="howDidYouHear" type="text" name="howDidYouHear" tabindex="12">
</dd>
</dl>
<dl class="expand sub-center dl-13" id="consultant" style="display: none;">
<dd>
<input id="consultantField" type="checkbox" class="r7-check" tabindex="13">
<label for="consultantField">I am a consultant, partner, or reseller.</label>
</dd>
</dl>
<dl class="expand checkboxContainer dl-14" id="optout" style="display:none;">
<dd>
<input id="explicitOptOut" type="checkbox" class="r7-check" tabindex="14">
<label for="explicitOptOut">I do not want to receive emails regarding Rapid7's products and services.</label>
</dd>
<dd>
<div class="disc">
<p>Issues with this page? Please email <a href="mailto:info@rapid7.com">info@rapid7.com</a>. Please see updated <a href="/privacy-policy/">Privacy Policy</a></p>
</div>
</dd>
</dl>
<dl class="expand captchaDisclaimer dl-15">
<dd>
<p class="text-left" style="font-size: 0.75rem; line-height: 1.25rem;">This site is protected by reCAPTCHA and the Google <a href="https://policies.google.com/privacy" target="_blank">Privacy Policy</a> and
<a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</p>
</dd>
</dl>
<dl class="captchaBlock dl-16">
<dd>
<div class="g-recaptcha" data-size="invisible" data-sitekey="6Lc2JFwaAAAAAI4X5Ix2Jxu7lyXDUVm1U3sATX7a">
<div class="grecaptcha-badge" data-style="none" style="width: 256px; height: 60px; position: fixed; visibility: hidden;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA" width="256" height="60" role="presentation" name="a-saqhwb13gq9m" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Lc2JFwaAAAAAI4X5Ix2Jxu7lyXDUVm1U3sATX7a&co=aHR0cHM6Ly93d3cucmFwaWQ3LmNvbTo0NDM.&hl=en&v=EGbODne6buzpTnWrrBprcfAY&size=invisible&cb=cf4gbcm4dj3v"></iframe>
</div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div>
</dd>
</dl>
<dl class="expand dl-17">
<dd><button class="submit button btn-primary mdBtn">Submit</button></dd>
</dl>
<input type="hidden" id="formName" value="ContactPage">
<input type="hidden" id="contactUsFormURL" value="https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/">
<input type="hidden" id="landorExpand" value="land">
</fieldset>
</form><form id="mktoForm_4144" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 110px;">
<div class="mktoAsterix">*</div>Work Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Work Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoPlaceholder mktoPlaceholderHtmlText_2018-05-24T14 942Z"></div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnonymousIP" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="browseLang" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="InferredCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LeadSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="ClickSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="preferenceBlogDigest" class="mktoField mktoFieldDescriptor mktoFormCol" value="true" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="preferencesLastUpdated" class="mktoField mktoFieldDescriptor mktoFormCol" value="{{system.Date}}" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTMCampaign__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTMContent__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTMMETA__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTMMedium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTMSource__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTMTerm__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="uTMTerm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="TMCampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="uTMContent" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="uTMMedium" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="uTMMeta" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTMSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="4144"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="411-NAK-970">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;">
</form>Text Content
* Platform
* TECHNOLOGY
The Rapid7 Command Platform
AI-Powered Cybersecurity Platform
Explore
* PLATFORM
* Platform
ELITE TECHNOLOGY
* AI-Engine
INTELLIGENT TOOLS
* Rapid7 Labs
TRUSTED INTELLIGENCE
* SOLUTIONS
* Managed Threat Complete
RISK-AWARE MDR
* Surface Command
ATTACK SURFACE MANAGEMENT
* Exposure Command
EXPOSURE MANAGEMENT
* Products
* NEW!
Exposure Command
Take Command of Your Attack Surface
Request Demo
* DETECTION & RESPONSE
* Next-Gen SIEM
INSIGHTIDR
* Threat Intelligence
THREAT COMMAND
* EXPOSURE MANAGEMENT
* Exposure Management
EXPOSURE COMMAND
* Attack Surface Management
SURFACE COMMAND
* Vulnerability Management
INSIGHTVM
* Cloud-Native Application Protection
INSIGHTCLOUDSEC
* Application Security Testing
INSIGHTAPPSEC
* Services
* MDR
Managed Threat Complete
Risk-aware MDR with Unlimited Incident Response
Request Demo
* DETECTION & RESPONSE
* Managed Detection and Response
MANAGED THREAT COMPLETE
* Incident Response Services
EXPERIENCING A BREACH?
* EXPOSURE MANAGEMENT
* Managed Vulnerability Management
OPTIMIZED RISK ASSESSMENT
* Managed Application Security
MANAGED DAST
* Continuous Red Teaming
VECTOR COMMAND
* Penetration Testing Services
TEST YOUR DEFENSES
* Resources
* NEW
The 2024 Attack Intelligence Report
Read the latest research by Rapid7 Labs
READ NOW
* STAY CURRENT
* About Rapid7 Labs
MEET THE RESEARCH TEAM
* Events & Webinars
CATCH US LIVE
* Resources Library
DIVE INTO THE DETAILS
* The Rapid7 Blog
STAY UP-TO-DATE
* Exploit Database
SEARCH THOUSANDS OF CVES
* Cybersecurity Fundamentals
LEARN THE BASICS
* PRODUCT SUPPORT
* Contact Sales
TALK TO AN EXPERT
* Customer Support Portal
CONTACT SUPPORT
* Product Integrations
CONNECT EVERYTHING
* Product Documentation
PRODUCT AND SERVICES GUIDES
* Product Release Notes
LATEST FEATURES
* Company
* OVERVIEW
* About Us
OUR STORY
* Leadership
EXECUTIVE TEAM & BOARD
* News & Press Releases
THE LATEST FROM OUR NEWSROOM
* Careers
JOIN RAPID7
* Our Customers
Their Success Stories
* Partners
Rapid7 Partner Ecosystem
* Investors
Investor Relations
* COMMUNITY & CULTURE
* Social Good
OUR COMMITMENT & APPROACH
* Rapid7 Cybersecurity Foundation
BUILDING THE FUTURE
* Diversity, Equity & Inclusion
EMPOWERING PEOPLE
* Open Source
STRENGTHENING CYBERSECURITY
* Public Policy
ENGAGEMENT & ADVOCACY
* Boston Bruins
Our Partnership
* Partners
* en
* English
* Sign In
Blog
* Select
* Vulnerability Management
* MDR
* Detection & Response
* Cloud Security
* App Security
* Metasploit
* All Topics
Start Trial
* Platform
* TECHNOLOGY
The Rapid7 Command Platform
AI-Powered Cybersecurity Platform
Explore
* PLATFORM
* Platform
ELITE TECHNOLOGY
* AI-Engine
INTELLIGENT TOOLS
* Rapid7 Labs
TRUSTED INTELLIGENCE
* SOLUTIONS
* Managed Threat Complete
RISK-AWARE MDR
* Surface Command
ATTACK SURFACE MANAGEMENT
* Exposure Command
EXPOSURE MANAGEMENT
* Products
* NEW!
Exposure Command
Take Command of Your Attack Surface
Request Demo
* DETECTION & RESPONSE
* Next-Gen SIEM
INSIGHTIDR
* Threat Intelligence
THREAT COMMAND
* EXPOSURE MANAGEMENT
* Exposure Management
EXPOSURE COMMAND
* Attack Surface Management
SURFACE COMMAND
* Vulnerability Management
INSIGHTVM
* Cloud-Native Application Protection
INSIGHTCLOUDSEC
* Application Security Testing
INSIGHTAPPSEC
* Services
* MDR
Managed Threat Complete
Risk-aware MDR with Unlimited Incident Response
Request Demo
* DETECTION & RESPONSE
* Managed Detection and Response
MANAGED THREAT COMPLETE
* Incident Response Services
EXPERIENCING A BREACH?
* EXPOSURE MANAGEMENT
* Managed Vulnerability Management
OPTIMIZED RISK ASSESSMENT
* Managed Application Security
MANAGED DAST
* Continuous Red Teaming
VECTOR COMMAND
* Penetration Testing Services
TEST YOUR DEFENSES
* Resources
* NEW
The 2024 Attack Intelligence Report
Read the latest research by Rapid7 Labs
READ NOW
* STAY CURRENT
* About Rapid7 Labs
MEET THE RESEARCH TEAM
* Events & Webinars
CATCH US LIVE
* Resources Library
DIVE INTO THE DETAILS
* The Rapid7 Blog
STAY UP-TO-DATE
* Exploit Database
SEARCH THOUSANDS OF CVES
* Cybersecurity Fundamentals
LEARN THE BASICS
* PRODUCT SUPPORT
* Contact Sales
TALK TO AN EXPERT
* Customer Support Portal
CONTACT SUPPORT
* Product Integrations
CONNECT EVERYTHING
* Product Documentation
PRODUCT AND SERVICES GUIDES
* Product Release Notes
LATEST FEATURES
* Company
* OVERVIEW
* About Us
OUR STORY
* Leadership
EXECUTIVE TEAM & BOARD
* News & Press Releases
THE LATEST FROM OUR NEWSROOM
* Careers
JOIN RAPID7
* Our Customers
Their Success Stories
* Partners
Rapid7 Partner Ecosystem
* Investors
Investor Relations
* COMMUNITY & CULTURE
* Social Good
OUR COMMITMENT & APPROACH
* Rapid7 Cybersecurity Foundation
BUILDING THE FUTURE
* Diversity, Equity & Inclusion
EMPOWERING PEOPLE
* Open Source
STRENGTHENING CYBERSECURITY
* Public Policy
ENGAGEMENT & ADVOCACY
* Boston Bruins
Our Partnership
* Partners
* en
* English
* Sign In
* Blog
* Vulnerability Management
* MDR
* Detection & Response
* Cloud Security
* App Security
* Metasploit
* All Topics
Start Trial
DRIVER-BASED ATTACKS: PAST AND PRESENT
* Dec 13, 2021
* 7 min read
* Jake Baines
*
*
*
Last updated at Fri, 01 Dec 2023 19:19:33 GMT
"People that write Ring 0 code and write it badly are a danger to society." -
Mickey Shkatov
There is no security boundary between an administrator and the Windows kernel,
according to the Microsoft Security Servicing Criteria for Windows. In our
analysis of CVE-2021-21551, a write-what-where vulnerability (see CWE-123) in a
Dell driver, we found that Dell’s update didn’t fix the write-what-where
condition but only limited access to administrative users. According to
Microsoft’s definition of security boundaries, Dell’s fix removed the security
issue. However, the partially fixed driver can still help attackers.
There’s an attack technique called Bring Your Own Vulnerable Driver (BYOVD). In
this attack, an adversary with administrative privileges installs a legitimately
signed driver on the victim system. The legitimate driver has a vulnerability
that the attacker exploits to gain ring 0 access. Access to ring 0 allows the
attacker to subvert or disable security mechanisms and allows them to hide
deeper in the system.
KNOWN USAGE IN THE WILD
BYOVD is a common technique used by advanced adversaries and opportunistic
attackers alike. To illustrate this, the following table is a non-exhaustive
list of well-known advisories/malware that use the BYOVD tactic, the associated
vulnerable driver, and the associated vulnerability where applicable or known.
Year Published Adversary/Malware Driver Name Driver Creator CVE ID 2021 Candiru
physmem.sys Hilscher N/A 2021 Iron Tiger procexp152.sys Process Explorer N/A
2021 Iron Tiger cpuz141.sys CPUID CPU-Z CVE-2017-15303 2021 GhostEmperor
dbk64.sys CheatEngine N/A 2021 ZINC viraglt64.sys Vir.IT eXplorer CVE-2017-16238
2021 Various Cryptominers using XMRig winring00x64.sys OpenLibSys N/A 2021
TunnelSnake vboxdrv.sys VirtualBox CVE-2008-3431 2020 RobbinHood gdrv.sys
Gigabyte CVE-2018-19320 2020 Trickbot rwdrv.sys RWEverything N/A 2020 InvisiMole
speedfan.sys Alfredo Milani Comparetti Speedfan CVE-2007-5633 2020 ZeroCleare
vboxdrv.sys VirtualBox Unclear 2020 Winnti Group vboxdrv.sys VirtualBox
CVE-2008-3431 2020 AcidBox vboxdrv.sys VirtualBox Unclear 2020 Dustman
vboxdrv.sys VirtualBox CVE-2008-3431 2019 Doppelpaymer kprocesshacker.sys
Process Hacker N/A 2018 LoJax rwdrv.sys RWEverything N/A 2018 Slingshot
sandra.sys SiSoftware Sandra CVE-2010-1592 2018 Slingshot elbycdio.sys Elaborate
Bytes CVE-2009-0824 2018 Slingshot speedfan.sys Alfredo Milani Comparetti
Speedfan CVE-2007-5633 2018 Slingshot goad.sys ?? Unclear 2017 The Lamberts
sandra.sys SiSoftware Sandra CVE-2010-1592 2016 Remsec aswsnx.sys Avast! Unclear
2016 Remsec sandbox.sys Agnitum Output Unclear 2015 Equation Group elbycdio.sys
CloneCD CVE-2009-0824 2015 Derusbi nicm.sys, nscm.sys, ncpl.sys Novell
CVE-2013-3956 2014 Turla vboxdrv.sys VirtualBox CVE-2008-3431 2012 Shamoon
elrawdsk.sys Eldos Rawdisk N/A
We believe that attacks or exploits that are actually used in the wild are,
practically by definition, worthwhile for attackers. The table above illustrates
that BYOVD is a valuable technique. Given these bad drivers' wide use in the
wild, it would be beneficial for the security community to identify exploitable
drivers and minimize or block their use.
USE CASES
Those unfamiliar with BYOVD are probably wondering why these attackers are doing
this. By far, the number one reason adversaries are using BYOVD is to bypass
Windows Driver Signature Enforcement (DSE). DSE ensures that only signed kernel
drivers can be loaded. By installing and exploiting a vulnerable driver,
attackers can load their own unsigned malicious drivers.
There are a number of open-source exploits that demonstrate loading unsigned
drivers via BYOVD. These four are some of the most well-known:
* Stryker (using cpuz141.sys with CVE-2017-15303 and process explorer)
* DSEFix (using CVE-2008-3841)
* TDL (using CVE-2008-3841)
* KDU (using multiple vulnerabilities including CVE-2015-2291, CVE-2018-19320,
CVE-2019-18845, CVE-2019-16098, and CVE-2019-8372)
Each of these tools is authored by the same individual, hfiref0x. Stryker,
DSEFix, and TDL are all deprecated or in read-only mode. Notably Stryker and
DSEFix run afoul of PatchGuard and are no longer suitable for most situations.
KDU, a tool that supports more than 14 different vulnerable drivers as the
“provider,” is the unsigned driver loader of choice.
Once the attacker has loaded their unsigned driver into the kernel, they can
accomplish a wide variety of tasks they wouldn’t be able to otherwise. Some
obvious examples include unhooking EDR callbacks or hiding exploitation/rootkit
artifacts. The attacker can write themselves a UEFI rootkit. Or just overwrite
all data (resulting in BSoD). Or inject code into other processes.
The Dell drivers discussed below should be able to facilitate these types of
attacks. Connor McGarr demonstrated Dell’s dbutil_2_3.sys (which is vulnerable
to CVE-2021-21551) can be used to execute attacker code in kernel mode. Because
the write-what-where condition persists in the follow-on drivers, dbutildrv2.sys
2.5 and 2.7, Dell has delivered three unique signed drivers that can execute
attacker code in kernel mode.
The previously mentioned attacks largely focused on executing code in kernel
mode. However, BYOVD also enables a simpler data-oriented attack that allows the
attacker to subvert LSA protection.
LSA protection prevents non-protected processes from reading the memory of, or
injecting code into, Windows' Local Security Authority Subsystem Service
(lsass.exe). That means tools like Mimikatz can’t dump the memory contents of
lsass.exe in order to retrieve Windows account credentials. However, an attacker
with ring 0 access can reach into the lsass.exe EPROCESS struct and simply mask
out the LSA protection. Once masked out, the attacker is free to dump
lsass.exe’s memory. There are a couple of good open-source implementations of
this: mimidrv (a signed driver that is part of mimikatz) and PPLKiller (uses
RTCore64.sys).
EXPLOITATION USING THE DELL DRIVERS
We’ve developed a Metasploit module that implements the LSA protection attack
using the new Dell drivers (dbutildrv2.sys 2.5 and 2.7). An attacker with
escalated privileges can use the module to enable or disable process protection
on arbitrary PID. The following proof-of-concept video demonstrates unprotecting
lsass.exe and dumping memory from metasploit.
The Dell drivers are especially valuable because they are compatible with the
newest signing requirements issued by Microsoft.
While old drivers like vboxdrv.sys / CVE-2008-3431 are finally becoming obsolete
— 13 years is a pretty good run for any vulnerability — the Dell drivers are
appearing in time to take their place. And the likelihood of the Dell drivers
being blacklisted is low. The drivers are used for updating firmware across a
large number of products. Preventing users from updating their computers’
firmware via driver blacklist is a non-starter.
While conducting this research, Rapid7 did reach out to Dell about this issue.
They stated the following:
> After careful consideration with the product team, we have categorized this
> issue as a weakness and not a vulnerability due to the privilege level
> required to carry out an attack. This is in alignment with the guidance
> provided in the Windows Driver Model. We are not planning on releasing a
> security advisory or issuing a CVE on this.
OTHER EXPLOITATION IN THE WILD
Of course, we are not the first to use the Dell drivers in a malicious manner.
As we noted in our AttackerKB analysis, dbutil_2_3.sys can be found associated
with malware on VirusTotal. The newer versions of the driver, dbutildrv2.sys
version 2.5 and 2.7, haven’t appeared to be used maliciously yet. However, we do
note a fair amount of other activity associated with BYOVD-related drivers that
haven’t yet been mentioned in this write up:
* asrdrv101.sys (CVE-2018-1071[0-2]?)
* asrdrv102.sys (CVE-2018-1071[0-2]?)
* ucorew64.sys
* piddrv64.sys
* atillk64.sys (CVE-2019-7246)
The point is that this is a fairly active and perhaps under-reported technique.
It seems only the most well-known vulnerable drivers are flagged by AV. Even a
well-known driver like the gdrv.sys isn’t flagged.
vboxdrv.sys vs. gdrive.sys
At what point should these legitimate drivers be flagged by AV? I posit that
once a driver is distributed via Discord, it might be time to start flagging it
as badware.
DETECTION AND MITIGATION GUIDANCE
Perhaps the best way to protect your systems is to utilize Microsoft’s driver
block rules. The list is full of known bad drivers and, if used correctly, will
allow you to block the driver from being loaded. Of course, this only protects
you from known vulnerable drivers that Microsoft adds to this list, but it’s
better than nothing. The Dell drivers are not currently in the list, but Dell
has indicated they are working with Microsoft to add dbutil_2_3.sys. However, as
discussed earlier, the newer versions are unlikely to ever get added. Detecting
the Dell drivers through your preferred EDR solution might be an alternative
solution. The SHA-1 hashes are:
dbutil_2_3.sys c948ae14761095e4d76b55d9de86412258be7afd dbutildrv2.sys (2.5)
90a76945fd2fa45fab2b7bcfdaf6563595f94891 dbutildrv2.sys (2.7)
b03b1996a40bfea72e4584b82f6b845c503a9748
If you are able to enable Hypervisor-Protected Code Integrity (HVCI) then you
should absolutely do so. And, of course, you should have secure boot enabled at
the very least.
We can all try to improve the Windows driver ecosystem by following Microsoft
guidance on potentially dangerous drivers. Specifically, we can help by
submitting drivers with vulnerabilities to the Microsoft Security Intelligence
Driver Submission page for security analysis and by submitting block list
suggestions to Microsoft Security Intelligence.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Subscribe
POST TAGS
* Risk Management
* Emergent Threat Response
SHARING IS CARING
*
*
*
AUTHOR
Jake Baines
View Jake's Posts
TOPICS
* Metasploit (645)
* Vulnerability Management (353)
* Research (235)
* Detection and Response (203)
* Vulnerability Disclosure (148)
* Emergent Threat Response (138)
* Cloud Security (136)
* Security Operations (20)
POPULAR TAGS
* Metasploit
* Metasploit Weekly Wrapup
* Vulnerability Management
* Research
* Logentries
* IT Ops
* 7 Rapid Questions
* Android
* Antivirus
* API
* Apple
* Application Security
* AppSpider
* Artificial Intelligence
* Attack Surface Security
* Attacker Behavior Analytics
* Authentication
* Automated Remediation
* Automation and Orchestration
* Awards
* AWS
* Azure
* Career Development
* CIS Controls
* CISOs
* Cloud Infrastructure
* Cloud Risk Complete
* Cloud Security
* Compliance
* Consulting Services
* Container Security
* Continuous Red Teaming
* COVID-19
* Critical Infrastructure
* Customer Perspective
* Cybersecurity
* Dark Web
* DAST
* Data Protection
* Deception Technology
* Detection and Response
* DevOps
* DFIR
* Digital Risk Protection (DRP)
* Emergent Threat Response
* Emerging Threats
* Endpoint Security
* Events
* Exploits
* Exposure Command
* Financial Services
* Flash
* Forrester Wave
* Gartner
* GCP Security
* GDPR
* Government
* Guest Perspective
* Hacking
* Hacky Holidays 2021
* Haxmas
* Healthcare Security
* Higher Education
* HIPAA
* Honeypots
* ICER Reports
* Identity Access Management (IAM)
* Incident Detection
* Incident Response
* Insight Agent
* InsightAppSec
* InsightCloudSec
* InsightConnect
* InsightIDR
* InsightOps
* InsightVM
* Internet Explorer
* Intrusion Detection
* IoT
* IT Ops
* Javascript
* Komand
* Kubernetes Security
* Labs
* Legal
* Linux
* Log Management
* log4j
* Log4Shell
* Logentries
* Lost Bots
* Machine Learning
* Malware
* Managed Detection and Response (MDR)
* Managed Threat Complete
* Manufacturing Security
* MDR Must-Haves
* Metasploit
* Metasploit Weekly Wrapup
* Microsoft
* MITRE ATT&CK
* MSSP
* Network Traffic Analysis
* Networking
* News
* Nexpose
* NICER Reports
* Open Source
* Partners
* Patch Tuesday
* PCI
* Penetration Testing
* Phishing
* Podcast
* Product Updates
* Project Lorelei
* Project Sonar
* Public Policy
* Python
* Ransomware
* Rapid7 Culture
* Rapid7 Disclosure
* Rapid7 Perspective
* Release Notes
* Remote Working
* Reports
* Research
* Risk Management
* RSA
* Russia-Ukraine Conflict
* SAML
* Security Automation
* Security Operations
* Security Operations (SOC)
* Security Strategy
* SIEM
* SOAR
* Social Engineering
* Spring4Shell
* Supply Chain Security
* tCell
* Third-Party Disclosure
* This One Time on a Pen Test
* Threat Command
* Threat Intel
* Under the Hoodie
* User Behavior Analytics
* Vector Command
* Velociraptor
* Vendor Consolidation
* Verizon DBIR
* Vulnerability Disclosure
* Vulnerability Management
* Whiteboard Wednesday
* Windows
* XDR
* XSS
* Zero-Day
RELATED POSTS
CVE-2024-40766: Critical Improper Access Control Vulnerability Affecting
SonicWall Devices
Read More
Multiple Vulnerabilities in Veeam Backup & Replication
Read More
Preparing for Unknown Risks: How to Better Prepare for Risks You Can't See Yet
Read More
VMware ESXi CVE-2024-37085 Targeted in Ransomware Campaigns
Read More
RELATED POSTS
Emergent Threat Response
CVE-2024-40766: Critical Improper Access Control Vulnerability Affecting
SonicWall Devices
Read Full Post
Emergent Threat Response
Multiple Vulnerabilities in Veeam Backup & Replication
Read Full Post
Risk Management
Preparing for Unknown Risks: How to Better Prepare for Risks You Can't See Yet
Read Full Post
Emergent Threat Response
VMware ESXi CVE-2024-37085 Targeted in Ransomware Campaigns
Read Full Post
View All Posts
Search
BACK TO TOP
CUSTOMER SUPPORT
+1-866-390-8113 (Toll Free)
SALES SUPPORT
+1-866-772-7437 (Toll Free)
Need to report an Escalation or a Breach?
Get Help
SOLUTIONS
The Command Platform Exposure Command Managed Threat Complete
SUPPORT & RESOURCES
Product Support Resource Library Our Customers Events & Webcasts Training &
Certification Cybersecurity Fundamentals Vulnerability & Exploit Database
ABOUT US
Company Diversity, Equity, and Inclusion Leadership News & Press Releases Public
Policy Open Source Investors
CONNECT WITH US
Contact Blog Support Login Careers
© Rapid7
Legal Terms
|
Privacy Policy
|
Export Notice
|
Trust
|
Do Not Sell or Share My Personal Information
|
Cookie Preferences
Contact Us
SUCCESS! THANK YOU FOR SUBMISSION. WE WILL BE IN TOUCH SHORTLY.
OOPS! THERE WAS A PROBLEM IN SUBMISSION. PLEASE TRY AGAIN.
CONTACT US
All fields are mandatory
First Name Last Name Job Title Job Level Job Level Analyst System/Security Admin
Manager Director VP CxO Student Other Company Email
Phone
Country State Reason for Contact - Select - I'd like to learn more about
vulnerability management I'd like to learn more about application security I'd
like to learn more about incident detection and response I'd like to learn more
about cloud security I'd like to learn more about Rapid7 professional or managed
services I'd like to learn more about visibility, analytics, and automation I'd
like to learn more about building a comprehensive security program I'd like to
learn more about threat intelligence. - Select - Reason for Contact - Select -
How did you hear about us? I am a consultant, partner, or reseller. I do not
want to receive emails regarding Rapid7's products and services.
Issues with this page? Please email info@rapid7.com. Please see updated Privacy
Policy
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of
Service apply.
Submit
CUSTOMER SUPPORT
+1-866-390-8113 (Toll Free)
SALES SUPPORT
+1-866-772-7437 (Toll Free)
NEED IMMEDIATE HELP WITH A BREACH?
+1-844-727-4347
CUSTOMER SUPPORT
+1-866-390-8113 (Toll Free)
SALES SUPPORT
+1-866-772-7437 (Toll Free)
NEED IMMEDIATE HELP WITH A BREACH?
+1-844-727-4347
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
*
Work Email:
Subscribe
You’re almost done!
Check your email to confirm your subscription.
We use cookies on our site to enhance site navigation, analyze site usage, and
assist in our marketing efforts. Privacy Policy
Cookies Settings
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
Cookies Details
SOCIAL MEDIA COOKIES
Social Media Cookies
These cookies are set by a range of social media services that we have added to
the site to enable you to share our content with your friends and networks. They
are capable of tracking your browser across other sites and building up a
profile of your interests. This may impact the content and messages you see on
other websites you visit. If you do not allow these cookies you may not be able
to use or see these sharing tools.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
Cookies Details
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Reject All Confirm My Choices