www.rapid7.com
Open in
urlscan Pro
18.173.219.83
Public Scan
URL:
https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
Submission: On September 18 via api from US — Scanned from CA
Submission: On September 18 via api from US — Scanned from CA
Form analysis
6 forms found in the DOM/search
<form action="/search">
<div class="container flex flex-jc-c flex-ai-c">
<div class="search-content flex flex-jc-fs flex-ai-c"><i class="r7-icon r7-icon-search-magnify"></i><input type="search" class="search-input" name="q" placeholder="Search"><input type="submit" class="search-submit button blue"
value="Search"><a id="btnSearchCloseMobile" class="search-close"><i class="r7-icon r7-icon-delete-x"></i></a></div>
</div>
</form>
/search
<form action="/search" class="search-content flex flex-jc-c flex-ai-c"><i class="r7-icon r7-icon-search-magnify"></i><input type="search" class="search-input" name="q" autocomplete="off" placeholder="Search"><input type="submit"
class="search-submit button blue" value="Search"><a class="search-close"><i class="r7-icon r7-icon-delete-x"></i></a></form>
/search/
<form action="/search/">
<label for="search" class="sr-only">Search</label>
<input class="sb-search-input" placeholder="Search all the things" type="search" value="" name="q" id="search">
<input class="sb-search-submit" type="submit" value="Submit Search" alt="Search all the things">
</form>
<form id="contactModal" class="formBlock freemail mkto contactModal" data-block-name="Contact Form Block">
<div id="intro">
<div id="thankyouText" style="display:none;" class="messageBox green">
<h4><span class="success">Success!</span> Thank you for submission. We will be in touch shortly.</h4>
</div>
<div id="errorText" style="display:none;" class="messageBox red">
<h4><span class="error">Oops!</span> There was a problem in submission. Please try again.</h4>
</div>
<div>
<h2>Contact Us</h2>
</div>
</div>
<fieldset>
<p id="fieldInstruction" class="instructions">All fields are mandatory</p>
<dl class="dl-1">
<dd>
<label for="firstName">First Name</label>
<input id="firstName" type="text" name="firstName" autocomplete="given-name" tabindex="1">
</dd>
</dl>
<dl class="dl-2">
<dd>
<label for="lastName">Last Name</label>
<input id="lastName" type="text" name="lastName" autocomplete="family-name" tabindex="2">
</dd>
</dl>
<dl class="dl-3">
<dd>
<label for="jobTitle">Job Title</label>
<input id="jobTitle" type="text" name="jobTitle" autocomplete="organization-title" tabindex="3">
</dd>
</dl>
<dl class="dl-4">
<dd>
<label for="jobLevel">Job Level</label>
<select name="jobLevel" id="jobLevel" class="normalSelect dropdownSelect" tabindex="4">
<option value="0" class="left_opt_pad">Job Level</option>
<option value="Analyst" class="left_opt_pad">Analyst</option>
<option value="System/Security Admin" class="left_opt_pad">System/Security Admin</option>
<option value="Manager" class="left_opt_pad">Manager</option>
<option value="Director" class="left_opt_pad">Director</option>
<option value="VP" class="left_opt_pad">VP</option>
<option value="CxO" class="left_opt_pad">CxO</option>
<option value="Student" class="left_opt_pad">Student</option>
<option value="Other" class="left_opt_pad">Other</option>
</select>
</dd>
</dl>
<dl class="dl-5">
<dd>
<label for="companyName">Company</label>
<input id="companyName" type="text" name="companyName" autocomplete="organization" tabindex="5">
</dd>
</dl>
<dl class="dl-6">
<dd>
<label for="email">Email</label>
<input id="email" type="text" name="email" autocomplete="email" tabindex="6">
</dd>
</dl>
<dl class="dl-7">
<dd>
<div class="intl-phone">
<label for="phone">Phone</label>
<div class="flag-container">
<div class="selected-flag">
<div class="iti-flag"></div>
</div>
<ul class="country-list"></ul>
</div>
<input id="phone" type="text" name="phone" autocomplete="tel-national" tabindex="7">
</div>
</dd>
</dl>
<dl class="dl-8">
<dd>
<label for="country">Country</label>
<select name="country" id="country" class="form_SelectInstruction normalSelect" onchange="updateCountryData('#contactModal');" tabindex="8"></select>
</dd>
</dl>
<dl class="dl-9">
<dd>
<label for="state">State</label>
<select name="state" id="state" class="form_SelectInstruction normalSelect dropdownSelect" tabindex="9"></select>
</dd>
</dl>
<dl class="clearfix expand dl-10">
<dd>
<label for="contactType">Reason for Contact</label>
<select name="contactType" id="contactType" class="normalSelect dropdownSelect" tabindex="10">
<option value="0" class="left_opt_pad">- Select -</option>
<option value="20437" data-subopts="20437|Request a Demo;20438|Get Pricing Info;20439|General" class="left_opt_pad">I'd like to learn more about vulnerability management</option>
<option value="20440" data-subopts="20440|Request a Demo;20441|Get Pricing Info;20442|General" class="left_opt_pad">I'd like to learn more about application security</option>
<option value="20443" data-subopts="20443|Request a Demo;20444|Get Pricing Info;20445|General" class="left_opt_pad">I'd like to learn more about incident detection and response</option>
<option value="20433" data-subopts="20433|Request a Demo;20446|Get Pricing Info;20447|General" class="left_opt_pad">I'd like to learn more about cloud security</option>
<option value="20448" data-subopts="" class="left_opt_pad">I'd like to learn more about Rapid7 professional or managed services</option>
<option value="20450" data-subopts="" class="left_opt_pad">I'd like to learn more about visibility, analytics, and automation</option>
<option value="20434" data-subopts="20434|Request a Demo;20435|Get Pricing Info;20436|General" class="left_opt_pad">I'd like to learn more about building a comprehensive security program</option>
<option value="21019" data-subopts="21019|Request a demo;21021|Get Pricing Info;21020|General" class="left_opt_pad">I'd like to learn more about threat intelligence.</option>
</select>
</dd>
</dl>
<dl class="clearfix expand dl-11" id="contactTypeSecondaryParent" style="display:none;">
<dd>
<label for="contactTypeSecondary" class="sr-only">- Select -</label>
<label for="Reason">Reason for Contact</label><select name="contactTypeSecondary" id="contactTypeSecondary" class="normalSelect dropdownSelect" tabindex="11">
<option value="0" class="left_opt_pad">- Select -</option>
</select>
</dd>
</dl>
<dl class="clearfix expand hide dl-12" id="howDidYouHearParent">
<dd>
<label for="howDidYouHear">How did you hear about us?</label>
<input id="howDidYouHear" type="text" name="howDidYouHear" tabindex="12">
</dd>
</dl>
<dl class="expand sub-center dl-13" id="consultant" style="display: none;">
<dd>
<input id="consultantField" type="checkbox" class="r7-check" tabindex="13">
<label for="consultantField">I am a consultant, partner, or reseller.</label>
</dd>
</dl>
<dl class="expand checkboxContainer dl-14" id="optout" style="display:none;">
<dd>
<input id="explicitOptOut" type="checkbox" class="r7-check" tabindex="14">
<label for="explicitOptOut">I do not want to receive emails regarding Rapid7's products and services.</label>
</dd>
<dd>
<div class="disc">
<p>Issues with this page? Please email <a href="mailto:info@rapid7.com">info@rapid7.com</a>. Please see updated <a href="/privacy-policy/">Privacy Policy</a></p>
</div>
</dd>
</dl>
<dl class="expand captchaDisclaimer dl-15">
<dd>
<p class="text-left" style="font-size: 0.75rem; line-height: 1.25rem;">This site is protected by reCAPTCHA and the Google <a href="https://policies.google.com/privacy" target="_blank">Privacy Policy</a> and
<a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</p>
</dd>
</dl>
<dl class="captchaBlock dl-16">
<dd>
<div class="g-recaptcha" data-size="invisible" data-sitekey="6Lc2JFwaAAAAAI4X5Ix2Jxu7lyXDUVm1U3sATX7a">
<div class="grecaptcha-badge" data-style="none" style="width: 256px; height: 60px; position: fixed; visibility: hidden;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA" width="256" height="60" role="presentation" name="a-saqhwb13gq9m" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Lc2JFwaAAAAAI4X5Ix2Jxu7lyXDUVm1U3sATX7a&co=aHR0cHM6Ly93d3cucmFwaWQ3LmNvbTo0NDM.&hl=en&v=EGbODne6buzpTnWrrBprcfAY&size=invisible&cb=cf4gbcm4dj3v"></iframe>
</div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div>
</dd>
</dl>
<dl class="expand dl-17">
<dd><button class="submit button btn-primary mdBtn">Submit</button></dd>
</dl>
<input type="hidden" id="formName" value="ContactPage">
<input type="hidden" id="contactUsFormURL" value="https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/">
<input type="hidden" id="landorExpand" value="land">
</fieldset>
</form>
<form id="mktoForm_4144" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 110px;">
<div class="mktoAsterix">*</div>Work Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Work Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoPlaceholder mktoPlaceholderHtmlText_2018-05-24T14 942Z"></div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnonymousIP" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="browseLang" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="InferredCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LeadSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="ClickSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="preferenceBlogDigest" class="mktoField mktoFieldDescriptor mktoFormCol" value="true" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="preferencesLastUpdated" class="mktoField mktoFieldDescriptor mktoFormCol" value="{{system.Date}}" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTMCampaign__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTMContent__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTMMETA__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTMMedium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTMSource__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTMTerm__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="uTMTerm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="TMCampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="uTMContent" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="uTMMedium" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="uTMMeta" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTMSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="4144"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="411-NAK-970">
</form>
<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;">
</form>
Text Content
* Platform * TECHNOLOGY The Rapid7 Command Platform AI-Powered Cybersecurity Platform Explore * PLATFORM * Platform ELITE TECHNOLOGY * AI-Engine INTELLIGENT TOOLS * Rapid7 Labs TRUSTED INTELLIGENCE * SOLUTIONS * Managed Threat Complete RISK-AWARE MDR * Surface Command ATTACK SURFACE MANAGEMENT * Exposure Command EXPOSURE MANAGEMENT * Products * NEW! Exposure Command Take Command of Your Attack Surface Request Demo * DETECTION & RESPONSE * Next-Gen SIEM INSIGHTIDR * Threat Intelligence THREAT COMMAND * EXPOSURE MANAGEMENT * Exposure Management EXPOSURE COMMAND * Attack Surface Management SURFACE COMMAND * Vulnerability Management INSIGHTVM * Cloud-Native Application Protection INSIGHTCLOUDSEC * Application Security Testing INSIGHTAPPSEC * Services * MDR Managed Threat Complete Risk-aware MDR with Unlimited Incident Response Request Demo * DETECTION & RESPONSE * Managed Detection and Response MANAGED THREAT COMPLETE * Incident Response Services EXPERIENCING A BREACH? * EXPOSURE MANAGEMENT * Managed Vulnerability Management OPTIMIZED RISK ASSESSMENT * Managed Application Security MANAGED DAST * Continuous Red Teaming VECTOR COMMAND * Penetration Testing Services TEST YOUR DEFENSES * Resources * NEW The 2024 Attack Intelligence Report Read the latest research by Rapid7 Labs READ NOW * STAY CURRENT * About Rapid7 Labs MEET THE RESEARCH TEAM * Events & Webinars CATCH US LIVE * Resources Library DIVE INTO THE DETAILS * The Rapid7 Blog STAY UP-TO-DATE * Exploit Database SEARCH THOUSANDS OF CVES * Cybersecurity Fundamentals LEARN THE BASICS * PRODUCT SUPPORT * Contact Sales TALK TO AN EXPERT * Customer Support Portal CONTACT SUPPORT * Product Integrations CONNECT EVERYTHING * Product Documentation PRODUCT AND SERVICES GUIDES * Product Release Notes LATEST FEATURES * Company * OVERVIEW * About Us OUR STORY * Leadership EXECUTIVE TEAM & BOARD * News & Press Releases THE LATEST FROM OUR NEWSROOM * Careers JOIN RAPID7 * Our Customers Their Success Stories * Partners Rapid7 Partner Ecosystem * Investors Investor Relations * COMMUNITY & CULTURE * Social Good OUR COMMITMENT & APPROACH * Rapid7 Cybersecurity Foundation BUILDING THE FUTURE * Diversity, Equity & Inclusion EMPOWERING PEOPLE * Open Source STRENGTHENING CYBERSECURITY * Public Policy ENGAGEMENT & ADVOCACY * Boston Bruins Our Partnership * Partners * en * English * Sign In Blog * Select * Vulnerability Management * MDR * Detection & Response * Cloud Security * App Security * Metasploit * All Topics Start Trial * Platform * TECHNOLOGY The Rapid7 Command Platform AI-Powered Cybersecurity Platform Explore * PLATFORM * Platform ELITE TECHNOLOGY * AI-Engine INTELLIGENT TOOLS * Rapid7 Labs TRUSTED INTELLIGENCE * SOLUTIONS * Managed Threat Complete RISK-AWARE MDR * Surface Command ATTACK SURFACE MANAGEMENT * Exposure Command EXPOSURE MANAGEMENT * Products * NEW! Exposure Command Take Command of Your Attack Surface Request Demo * DETECTION & RESPONSE * Next-Gen SIEM INSIGHTIDR * Threat Intelligence THREAT COMMAND * EXPOSURE MANAGEMENT * Exposure Management EXPOSURE COMMAND * Attack Surface Management SURFACE COMMAND * Vulnerability Management INSIGHTVM * Cloud-Native Application Protection INSIGHTCLOUDSEC * Application Security Testing INSIGHTAPPSEC * Services * MDR Managed Threat Complete Risk-aware MDR with Unlimited Incident Response Request Demo * DETECTION & RESPONSE * Managed Detection and Response MANAGED THREAT COMPLETE * Incident Response Services EXPERIENCING A BREACH? * EXPOSURE MANAGEMENT * Managed Vulnerability Management OPTIMIZED RISK ASSESSMENT * Managed Application Security MANAGED DAST * Continuous Red Teaming VECTOR COMMAND * Penetration Testing Services TEST YOUR DEFENSES * Resources * NEW The 2024 Attack Intelligence Report Read the latest research by Rapid7 Labs READ NOW * STAY CURRENT * About Rapid7 Labs MEET THE RESEARCH TEAM * Events & Webinars CATCH US LIVE * Resources Library DIVE INTO THE DETAILS * The Rapid7 Blog STAY UP-TO-DATE * Exploit Database SEARCH THOUSANDS OF CVES * Cybersecurity Fundamentals LEARN THE BASICS * PRODUCT SUPPORT * Contact Sales TALK TO AN EXPERT * Customer Support Portal CONTACT SUPPORT * Product Integrations CONNECT EVERYTHING * Product Documentation PRODUCT AND SERVICES GUIDES * Product Release Notes LATEST FEATURES * Company * OVERVIEW * About Us OUR STORY * Leadership EXECUTIVE TEAM & BOARD * News & Press Releases THE LATEST FROM OUR NEWSROOM * Careers JOIN RAPID7 * Our Customers Their Success Stories * Partners Rapid7 Partner Ecosystem * Investors Investor Relations * COMMUNITY & CULTURE * Social Good OUR COMMITMENT & APPROACH * Rapid7 Cybersecurity Foundation BUILDING THE FUTURE * Diversity, Equity & Inclusion EMPOWERING PEOPLE * Open Source STRENGTHENING CYBERSECURITY * Public Policy ENGAGEMENT & ADVOCACY * Boston Bruins Our Partnership * Partners * en * English * Sign In * Blog * Vulnerability Management * MDR * Detection & Response * Cloud Security * App Security * Metasploit * All Topics Start Trial DRIVER-BASED ATTACKS: PAST AND PRESENT * Dec 13, 2021 * 7 min read * Jake Baines * * * Last updated at Fri, 01 Dec 2023 19:19:33 GMT "People that write Ring 0 code and write it badly are a danger to society." - Mickey Shkatov There is no security boundary between an administrator and the Windows kernel, according to the Microsoft Security Servicing Criteria for Windows. In our analysis of CVE-2021-21551, a write-what-where vulnerability (see CWE-123) in a Dell driver, we found that Dell’s update didn’t fix the write-what-where condition but only limited access to administrative users. According to Microsoft’s definition of security boundaries, Dell’s fix removed the security issue. However, the partially fixed driver can still help attackers. There’s an attack technique called Bring Your Own Vulnerable Driver (BYOVD). In this attack, an adversary with administrative privileges installs a legitimately signed driver on the victim system. The legitimate driver has a vulnerability that the attacker exploits to gain ring 0 access. Access to ring 0 allows the attacker to subvert or disable security mechanisms and allows them to hide deeper in the system. KNOWN USAGE IN THE WILD BYOVD is a common technique used by advanced adversaries and opportunistic attackers alike. To illustrate this, the following table is a non-exhaustive list of well-known advisories/malware that use the BYOVD tactic, the associated vulnerable driver, and the associated vulnerability where applicable or known. Year Published Adversary/Malware Driver Name Driver Creator CVE ID 2021 Candiru physmem.sys Hilscher N/A 2021 Iron Tiger procexp152.sys Process Explorer N/A 2021 Iron Tiger cpuz141.sys CPUID CPU-Z CVE-2017-15303 2021 GhostEmperor dbk64.sys CheatEngine N/A 2021 ZINC viraglt64.sys Vir.IT eXplorer CVE-2017-16238 2021 Various Cryptominers using XMRig winring00x64.sys OpenLibSys N/A 2021 TunnelSnake vboxdrv.sys VirtualBox CVE-2008-3431 2020 RobbinHood gdrv.sys Gigabyte CVE-2018-19320 2020 Trickbot rwdrv.sys RWEverything N/A 2020 InvisiMole speedfan.sys Alfredo Milani Comparetti Speedfan CVE-2007-5633 2020 ZeroCleare vboxdrv.sys VirtualBox Unclear 2020 Winnti Group vboxdrv.sys VirtualBox CVE-2008-3431 2020 AcidBox vboxdrv.sys VirtualBox Unclear 2020 Dustman vboxdrv.sys VirtualBox CVE-2008-3431 2019 Doppelpaymer kprocesshacker.sys Process Hacker N/A 2018 LoJax rwdrv.sys RWEverything N/A 2018 Slingshot sandra.sys SiSoftware Sandra CVE-2010-1592 2018 Slingshot elbycdio.sys Elaborate Bytes CVE-2009-0824 2018 Slingshot speedfan.sys Alfredo Milani Comparetti Speedfan CVE-2007-5633 2018 Slingshot goad.sys ?? Unclear 2017 The Lamberts sandra.sys SiSoftware Sandra CVE-2010-1592 2016 Remsec aswsnx.sys Avast! Unclear 2016 Remsec sandbox.sys Agnitum Output Unclear 2015 Equation Group elbycdio.sys CloneCD CVE-2009-0824 2015 Derusbi nicm.sys, nscm.sys, ncpl.sys Novell CVE-2013-3956 2014 Turla vboxdrv.sys VirtualBox CVE-2008-3431 2012 Shamoon elrawdsk.sys Eldos Rawdisk N/A We believe that attacks or exploits that are actually used in the wild are, practically by definition, worthwhile for attackers. The table above illustrates that BYOVD is a valuable technique. Given these bad drivers' wide use in the wild, it would be beneficial for the security community to identify exploitable drivers and minimize or block their use. USE CASES Those unfamiliar with BYOVD are probably wondering why these attackers are doing this. By far, the number one reason adversaries are using BYOVD is to bypass Windows Driver Signature Enforcement (DSE). DSE ensures that only signed kernel drivers can be loaded. By installing and exploiting a vulnerable driver, attackers can load their own unsigned malicious drivers. There are a number of open-source exploits that demonstrate loading unsigned drivers via BYOVD. These four are some of the most well-known: * Stryker (using cpuz141.sys with CVE-2017-15303 and process explorer) * DSEFix (using CVE-2008-3841) * TDL (using CVE-2008-3841) * KDU (using multiple vulnerabilities including CVE-2015-2291, CVE-2018-19320, CVE-2019-18845, CVE-2019-16098, and CVE-2019-8372) Each of these tools is authored by the same individual, hfiref0x. Stryker, DSEFix, and TDL are all deprecated or in read-only mode. Notably Stryker and DSEFix run afoul of PatchGuard and are no longer suitable for most situations. KDU, a tool that supports more than 14 different vulnerable drivers as the “provider,” is the unsigned driver loader of choice. Once the attacker has loaded their unsigned driver into the kernel, they can accomplish a wide variety of tasks they wouldn’t be able to otherwise. Some obvious examples include unhooking EDR callbacks or hiding exploitation/rootkit artifacts. The attacker can write themselves a UEFI rootkit. Or just overwrite all data (resulting in BSoD). Or inject code into other processes. The Dell drivers discussed below should be able to facilitate these types of attacks. Connor McGarr demonstrated Dell’s dbutil_2_3.sys (which is vulnerable to CVE-2021-21551) can be used to execute attacker code in kernel mode. Because the write-what-where condition persists in the follow-on drivers, dbutildrv2.sys 2.5 and 2.7, Dell has delivered three unique signed drivers that can execute attacker code in kernel mode. The previously mentioned attacks largely focused on executing code in kernel mode. However, BYOVD also enables a simpler data-oriented attack that allows the attacker to subvert LSA protection. LSA protection prevents non-protected processes from reading the memory of, or injecting code into, Windows' Local Security Authority Subsystem Service (lsass.exe). That means tools like Mimikatz can’t dump the memory contents of lsass.exe in order to retrieve Windows account credentials. However, an attacker with ring 0 access can reach into the lsass.exe EPROCESS struct and simply mask out the LSA protection. Once masked out, the attacker is free to dump lsass.exe’s memory. There are a couple of good open-source implementations of this: mimidrv (a signed driver that is part of mimikatz) and PPLKiller (uses RTCore64.sys). EXPLOITATION USING THE DELL DRIVERS We’ve developed a Metasploit module that implements the LSA protection attack using the new Dell drivers (dbutildrv2.sys 2.5 and 2.7). An attacker with escalated privileges can use the module to enable or disable process protection on arbitrary PID. The following proof-of-concept video demonstrates unprotecting lsass.exe and dumping memory from metasploit. The Dell drivers are especially valuable because they are compatible with the newest signing requirements issued by Microsoft. While old drivers like vboxdrv.sys / CVE-2008-3431 are finally becoming obsolete — 13 years is a pretty good run for any vulnerability — the Dell drivers are appearing in time to take their place. And the likelihood of the Dell drivers being blacklisted is low. The drivers are used for updating firmware across a large number of products. Preventing users from updating their computers’ firmware via driver blacklist is a non-starter. While conducting this research, Rapid7 did reach out to Dell about this issue. They stated the following: > After careful consideration with the product team, we have categorized this > issue as a weakness and not a vulnerability due to the privilege level > required to carry out an attack. This is in alignment with the guidance > provided in the Windows Driver Model. We are not planning on releasing a > security advisory or issuing a CVE on this. OTHER EXPLOITATION IN THE WILD Of course, we are not the first to use the Dell drivers in a malicious manner. As we noted in our AttackerKB analysis, dbutil_2_3.sys can be found associated with malware on VirusTotal. The newer versions of the driver, dbutildrv2.sys version 2.5 and 2.7, haven’t appeared to be used maliciously yet. However, we do note a fair amount of other activity associated with BYOVD-related drivers that haven’t yet been mentioned in this write up: * asrdrv101.sys (CVE-2018-1071[0-2]?) * asrdrv102.sys (CVE-2018-1071[0-2]?) * ucorew64.sys * piddrv64.sys * atillk64.sys (CVE-2019-7246) The point is that this is a fairly active and perhaps under-reported technique. It seems only the most well-known vulnerable drivers are flagged by AV. Even a well-known driver like the gdrv.sys isn’t flagged. vboxdrv.sys vs. gdrive.sys At what point should these legitimate drivers be flagged by AV? I posit that once a driver is distributed via Discord, it might be time to start flagging it as badware. DETECTION AND MITIGATION GUIDANCE Perhaps the best way to protect your systems is to utilize Microsoft’s driver block rules. The list is full of known bad drivers and, if used correctly, will allow you to block the driver from being loaded. Of course, this only protects you from known vulnerable drivers that Microsoft adds to this list, but it’s better than nothing. The Dell drivers are not currently in the list, but Dell has indicated they are working with Microsoft to add dbutil_2_3.sys. However, as discussed earlier, the newer versions are unlikely to ever get added. Detecting the Dell drivers through your preferred EDR solution might be an alternative solution. The SHA-1 hashes are: dbutil_2_3.sys c948ae14761095e4d76b55d9de86412258be7afd dbutildrv2.sys (2.5) 90a76945fd2fa45fab2b7bcfdaf6563595f94891 dbutildrv2.sys (2.7) b03b1996a40bfea72e4584b82f6b845c503a9748 If you are able to enable Hypervisor-Protected Code Integrity (HVCI) then you should absolutely do so. And, of course, you should have secure boot enabled at the very least. We can all try to improve the Windows driver ecosystem by following Microsoft guidance on potentially dangerous drivers. Specifically, we can help by submitting drivers with vulnerabilities to the Microsoft Security Intelligence Driver Submission page for security analysis and by submitting block list suggestions to Microsoft Security Intelligence. NEVER MISS A BLOG Get the latest stories, expertise, and news about security today. Subscribe POST TAGS * Risk Management * Emergent Threat Response SHARING IS CARING * * * AUTHOR Jake Baines View Jake's Posts TOPICS * Metasploit (645) * Vulnerability Management (353) * Research (235) * Detection and Response (203) * Vulnerability Disclosure (148) * Emergent Threat Response (138) * Cloud Security (136) * Security Operations (20) POPULAR TAGS * Metasploit * Metasploit Weekly Wrapup * Vulnerability Management * Research * Logentries * IT Ops * 7 Rapid Questions * Android * Antivirus * API * Apple * Application Security * AppSpider * Artificial Intelligence * Attack Surface Security * Attacker Behavior Analytics * Authentication * Automated Remediation * Automation and Orchestration * Awards * AWS * Azure * Career Development * CIS Controls * CISOs * Cloud Infrastructure * Cloud Risk Complete * Cloud Security * Compliance * Consulting Services * Container Security * Continuous Red Teaming * COVID-19 * Critical Infrastructure * Customer Perspective * Cybersecurity * Dark Web * DAST * Data Protection * Deception Technology * Detection and Response * DevOps * DFIR * Digital Risk Protection (DRP) * Emergent Threat Response * Emerging Threats * Endpoint Security * Events * Exploits * Exposure Command * Financial Services * Flash * Forrester Wave * Gartner * GCP Security * GDPR * Government * Guest Perspective * Hacking * Hacky Holidays 2021 * Haxmas * Healthcare Security * Higher Education * HIPAA * Honeypots * ICER Reports * Identity Access Management (IAM) * Incident Detection * Incident Response * Insight Agent * InsightAppSec * InsightCloudSec * InsightConnect * InsightIDR * InsightOps * InsightVM * Internet Explorer * Intrusion Detection * IoT * IT Ops * Javascript * Komand * Kubernetes Security * Labs * Legal * Linux * Log Management * log4j * Log4Shell * Logentries * Lost Bots * Machine Learning * Malware * Managed Detection and Response (MDR) * Managed Threat Complete * Manufacturing Security * MDR Must-Haves * Metasploit * Metasploit Weekly Wrapup * Microsoft * MITRE ATT&CK * MSSP * Network Traffic Analysis * Networking * News * Nexpose * NICER Reports * Open Source * Partners * Patch Tuesday * PCI * Penetration Testing * Phishing * Podcast * Product Updates * Project Lorelei * Project Sonar * Public Policy * Python * Ransomware * Rapid7 Culture * Rapid7 Disclosure * Rapid7 Perspective * Release Notes * Remote Working * Reports * Research * Risk Management * RSA * Russia-Ukraine Conflict * SAML * Security Automation * Security Operations * Security Operations (SOC) * Security Strategy * SIEM * SOAR * Social Engineering * Spring4Shell * Supply Chain Security * tCell * Third-Party Disclosure * This One Time on a Pen Test * Threat Command * Threat Intel * Under the Hoodie * User Behavior Analytics * Vector Command * Velociraptor * Vendor Consolidation * Verizon DBIR * Vulnerability Disclosure * Vulnerability Management * Whiteboard Wednesday * Windows * XDR * XSS * Zero-Day RELATED POSTS CVE-2024-40766: Critical Improper Access Control Vulnerability Affecting SonicWall Devices Read More Multiple Vulnerabilities in Veeam Backup & Replication Read More Preparing for Unknown Risks: How to Better Prepare for Risks You Can't See Yet Read More VMware ESXi CVE-2024-37085 Targeted in Ransomware Campaigns Read More RELATED POSTS Emergent Threat Response CVE-2024-40766: Critical Improper Access Control Vulnerability Affecting SonicWall Devices Read Full Post Emergent Threat Response Multiple Vulnerabilities in Veeam Backup & Replication Read Full Post Risk Management Preparing for Unknown Risks: How to Better Prepare for Risks You Can't See Yet Read Full Post Emergent Threat Response VMware ESXi CVE-2024-37085 Targeted in Ransomware Campaigns Read Full Post View All Posts Search BACK TO TOP CUSTOMER SUPPORT +1-866-390-8113 (Toll Free) SALES SUPPORT +1-866-772-7437 (Toll Free) Need to report an Escalation or a Breach? Get Help SOLUTIONS The Command Platform Exposure Command Managed Threat Complete SUPPORT & RESOURCES Product Support Resource Library Our Customers Events & Webcasts Training & Certification Cybersecurity Fundamentals Vulnerability & Exploit Database ABOUT US Company Diversity, Equity, and Inclusion Leadership News & Press Releases Public Policy Open Source Investors CONNECT WITH US Contact Blog Support Login Careers © Rapid7 Legal Terms | Privacy Policy | Export Notice | Trust | Do Not Sell or Share My Personal Information | Cookie Preferences Contact Us SUCCESS! THANK YOU FOR SUBMISSION. WE WILL BE IN TOUCH SHORTLY. OOPS! THERE WAS A PROBLEM IN SUBMISSION. PLEASE TRY AGAIN. CONTACT US All fields are mandatory First Name Last Name Job Title Job Level Job Level Analyst System/Security Admin Manager Director VP CxO Student Other Company Email Phone Country State Reason for Contact - Select - I'd like to learn more about vulnerability management I'd like to learn more about application security I'd like to learn more about incident detection and response I'd like to learn more about cloud security I'd like to learn more about Rapid7 professional or managed services I'd like to learn more about visibility, analytics, and automation I'd like to learn more about building a comprehensive security program I'd like to learn more about threat intelligence. - Select - Reason for Contact - Select - How did you hear about us? I am a consultant, partner, or reseller. I do not want to receive emails regarding Rapid7's products and services. Issues with this page? Please email info@rapid7.com. Please see updated Privacy Policy This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. Submit CUSTOMER SUPPORT +1-866-390-8113 (Toll Free) SALES SUPPORT +1-866-772-7437 (Toll Free) NEED IMMEDIATE HELP WITH A BREACH? +1-844-727-4347 CUSTOMER SUPPORT +1-866-390-8113 (Toll Free) SALES SUPPORT +1-866-772-7437 (Toll Free) NEED IMMEDIATE HELP WITH A BREACH? +1-844-727-4347 NEVER MISS A BLOG Get the latest stories, expertise, and news about security today. * Work Email: Subscribe You’re almost done! Check your email to confirm your subscription. We use cookies on our site to enhance site navigation, analyze site usage, and assist in our marketing efforts. Privacy Policy Cookies Settings PRIVACY PREFERENCE CENTER When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Allow All MANAGE CONSENT PREFERENCES STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Cookies Details SOCIAL MEDIA COOKIES Social Media Cookies These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools. Cookies Details TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Cookies Details PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Cookies Details FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details Back Button COOKIE LIST Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject All Confirm My Choices