Threat Research

“Exploring Vulnerable Drivers and Risk Mitigation Strategies”

Checkpoint

Check Point Research analyzes the rising tide of vulnerable Windows drivers, showing how BYOVD and weak access controls enable exploitation and privilege escalation, even in security products. The findings emphasize that many flaws are not complex and can be fixed, yet mitigation efforts are often insufficient against determined attackers.
#BYOVD #LOLDrivers #DrWeb #DrWebSecuritySpace #IoCreateDeviceSecure #WindowsDriver

Keypoints

  • Vulnerable Windows drivers can be exploited by malware, creating serious security risks.
  • Most known vulnerable drivers share common design flaws, such as weak or absent DACLs on devices.
  • A mass hunt identified thousands of potentially vulnerable drivers at risk.
  • Driver exploitation can enable privilege escalation and bypass security measures (e.g., UAC).
  • Many mitigations used by security products are bypassed or insufficient against BYOVD techniques.
  • Concrete demonstrations (e.g., Dr.Web components) show real-world LPE, arbitrary read/write, and process termination.
  • Mitigation requires a comprehensive approach: proper device access controls, secure device creation, and broader protections beyond blocklists.

MITRE Techniques

  • [T1068] Privilege Escalation – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1088] Bypass User Account Control – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1055] Process Injection – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1201] Kernel Mode Execution – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)

Indicators of Compromise

  • [MD5 Hash] DrWeb vulnerable driver samples – 4cf84abc9e2d9a85b42c98a6b91bb011, c142d4ce995b37e43e4ff76b6920fc5d, and 4 more hashes
  • [SHA-256 Hash] DrWeb driver samples – a97fd477edae5dc63b6c8cf71d1602099bb48ee0804373e51bc6961fb0db6d5b, c452ae27e934c0a411a840dc8e824ccaeaf22fdfadf9f3072c1c162203a3fc2d, and 4 more hashes
  • [File Name] Dr.Web vulnerable driver files – dwshield_x64.pdb, dwt-6088-1976-26975aba.sys, and 2 more filenames

Read more: https://research.checkpoint.com/2024/breaking-boundaries-investigating-vulnerable-drivers-and-mitigating-risks/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint