Windows Drivers

Try in Splunk Security Cloud

Description

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2022-03-30
• Author: Michael Haag, Splunk
• ID: d0a9323f-9411-4da6-86b2-18c184d750c0

Narrative

A rootkit on Windows may sometimes be in the form of a Windows Driver. A driver typically has a file extension of .sys, however the internals of a sys file is similar to a Windows DLL. For Microsoft Windows to load a driver, a few requirements are needed. First, it must have a valid signature. Second, typically it should load from the windows\system32\drivers path. There are a few methods to investigate drivers in the environment. Drivers are noisy. An inventory of all drivers is important to understand prevalence. A driver location (Path) is also important when attempting to baseline. Looking at a driver name and path is not enough, we must also explore the signing information. Product, description, company name, signer and signing result are all items to take into account when reviewing drivers. What makes a driver malicious? Depending if a driver was dropped during a campaign or you are baselining drivers after, triaging a driver to determine maliciousness may be tough. We break this into two categories - 1. vulnerable drivers 2. driver rootkits. Attempt to identify prevelance of the driver. Is it on one or many? Review the signing information if it is present. Is it common? A lot of driver hunting will lead down rabbit holes, but we hope to help lead the way.

Detections

Name	Technique	Type
Sc exe Manipulating Windows Services	Windows Service, Create or Modify System Process	TTP
Windows Driver Inventory	Exploitation for Privilege Escalation	Hunting
Windows Driver Load Non-Standard Path	Rootkit, Exploitation for Privilege Escalation	TTP
Windows Drivers Loaded by Signature	Rootkit, Exploitation for Privilege Escalation	Hunting
Windows Registry Certificate Added	Install Root Certificate, Subvert Trust Controls	Anomaly
Windows Registry Modification for Safe Mode Persistence	Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution	TTP
Windows Service Create Kernel Mode Driver	Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation	TTP
Windows System File on Disk	Exploitation for Privilege Escalation	Hunting
Windows Vulnerable Driver Loaded	Windows Service	Hunting

Reference

• https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/
• https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf
• https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/

source | version: 1