Summary:
Over the past 18 months, BYOVD (Bring Your Own Vulnerable Driver) attacks have surged as adversaries exploit known vulnerabilities in kernel drivers to bypass endpoint detection systems like CrowdStrike Falcon. These attacks enable malicious actors to perform privileged operations, evade detection, and manipulate systems at a deep level. In a recent incident, a CrowdStrike customer faced an intrusion attempt involving six vulnerable drivers, all of which were detected by Falcon’s protections.
#BYOVD #KernelExploitation #EndpointSecurity
Over the past 18 months, BYOVD (Bring Your Own Vulnerable Driver) attacks have surged as adversaries exploit known vulnerabilities in kernel drivers to bypass endpoint detection systems like CrowdStrike Falcon. These attacks enable malicious actors to perform privileged operations, evade detection, and manipulate systems at a deep level. In a recent incident, a CrowdStrike customer faced an intrusion attempt involving six vulnerable drivers, all of which were detected by Falcon’s protections.
#BYOVD #KernelExploitation #EndpointSecurity
Keypoints:
BYOVD attacks have increased significantly, targeting endpoint detection and response (EDR) products.
Adversaries load vulnerable drivers to perform privileged operations and evade detection.
A recent incident involved a customer experiencing an intrusion with six vulnerable drivers.
All attempts were detected or blocked by CrowdStrike Falcon’s BYOVD protections.
BYOVD allows attackers to manipulate the kernel and bypass security measures like Driver Signature Enforcement (DSE).
Microsoft’s security initiatives have created new barriers against kernel exploitation.
CrowdStrike categorizes abused drivers into vulnerable, weaponizable, and malicious classes.
MITRE Techniques:
Bypass User Account Control (T1088): Exploits vulnerabilities in drivers to bypass security mechanisms.
Kernel Module Loading (T1120): Loads vulnerable drivers to gain kernel-level access.
Privilege Escalation (T1068): Gains elevated privileges through exploitation of vulnerable drivers.
Process Injection (T1055): Injects malicious code into legitimate processes using vulnerable drivers.
IoC:
No IoC Found
Mitigation:
Implement strict driver signing policies to prevent loading of unsigned drivers.
Utilize endpoint detection and response (EDR) solutions to monitor for suspicious driver activity.
Regularly update and patch systems to mitigate vulnerabilities in drivers.
Educate users about the risks of using vulnerable drivers and the importance of security practices.
Full Research: https://www.crowdstrike.com/en-us/blog/falcon-prevents-vulnerable-driver-attacks-real-world-intrusion/