Gaining kernel privileges by taking advantage of legitimate but vulnerable kernel drivers has become an established tool of choice for advanced adversaries. Multiple malware attacks, including RobbinHood, Uroburos, Derusbi, GrayFish, and Sauron, and campaigns by the threat actor STRONTIUM, have leveraged driver vulnerabilities (for example,
CVE-2008-3431,
CVE-2013-3956,
CVE-2009-0824,
CVE-2010-1592, etc.) to gain kernel privileges and, in some cases, effectively disable security agents on compromised machines.
Defending against these types of threats—whether those that live off the land by using what’s already on the machine or those that bring in vulnerable drivers as part of their attack chain—requires a fresh approach to security, one that combines threat defense on multiple levels: silicon, operating system, and cloud. Microsoft brought this chip-to-cloud approach with
Azure Sphere, the integrated security solution for IoT devices and equipment. We brought the same approach to securing endpoint devices through
Secured-core PCs.
Secured-core PCs combine virtualization, operating system, and hardware and firmware protection. Along with
Microsoft Defender Advanced Threat Protection, Secured-core PCs provide end-to-end protection against advanced threats.
