Security News Black Hat 2018: Stealthy Kernel Attack Flies Under Windows Mitigation Radar

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Researchers create PoC of a post-exploitation kernel-mode fileless attack technique

There are lots of Holy Grails when it comes to compromising endpoints. One of them has long been an attack that leads to kernel ring0 access on a Windows system. That translates into so-called “God Mode” for hackers — and “game over” for victims.

This is why Microsoft has gone to great lengths over the years to harden defenses to protect the kernel with such things as PatchGuard, Driver Signature Enforcement and SecureBoot. However, attackers continue to devise new kernel-mode malware that evades these protections.

At a Black Hat session on Thursday, researchers at Endgame take these kernel attacks one step further. At their session, “Kernel Mode Threats and Practical Defenses,” they demonstrated how to weaponize Turla Driver Loader into a full, fileless kernel-mode attack.

The Turla Driver Loader (TDL), named for its link to the Turla APT group, is a technique used to bypass a Windows mitigation called Driver Signature Enforcement, first introduced in Windows Vista. Those policies ensure only drivers signed with a valid digital signature can be loaded into the kernel. The TDL technique is not entirely unique, but using it in the context of a full, fileless kernel mode attack is, said Joe Desimone, senior malware researcher at Endgame.

The result is a compromised system stripped of endpoint AV and endpoint detection and response (EDR) defenses — which can be used to silently exfiltrate data or infiltrate a network.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top