The Most Dangerous Drivers for Windows

[Man]

Drivers are an integral part of the operating system, but the vulnerabilities associated with them are often underestimated. Windows very easily loads almost any drivers to the kernel level: signed/unsigned, old/new. If malicious code is distributed this way, it is difficult to detect.

Old 32-bit drivers usually came without a digital signature. But even the introduction of a mandatory signature did not solve the problem completely. Firstly, attackers can use stolen certificates. Secondly, they use officially certified drivers from trusted publishers for their purposes: Lenovo, ASRock, Asustek, Dell, etc. Such "Trojan" drivers are present on many computers, but antiviruses do not consider them a threat.

Attack via driver​

Last year, Symantec researchers discovered the Daxin backdoor, which was presumably developed by a foreign intelligence agency for espionage (possibly by Chinese specialists).

Daxin is specifically designed to penetrate well-protected networks where antiviruses and firewalls are running. Therefore, it was distributed under the guise of a Windows driver. This allowed it to successfully hide for a long time. According to the researchers, Daxin has long been successfully operating in the corporate networks of Western agencies, collecting information for foreign customers.

Symantec researchers compared Daxin with the highly advanced Regin backdoor from 2014, which also penetrated the OS kernel level and unloaded its working binaries as Windows drivers:

Monitoring drivers allows you to detect potential threats at an early stage, which makes it possible to take prompt measures to eliminate vulnerabilities, remove malicious drivers and minimize the risk of exploitation.

LOLDrivers​

The LOLDrivers (Living Off The Land Drivers) project aims to collect as many vulnerable and malicious Windows drivers from official publishers as possible in one place, making this information available to anyone. This is a very valuable resource that helps organizations better understand and mitigate the security risks associated with drivers.

The main page provides a list of drivers with the date they were added to the catalog. There is also a filter for more conveniently searching for specific file names. For each driver, there is a link to a security bulletin describing an attack that is possible through this driver (usually we are talking about escalating privileges for subsequent execution of malicious code from another file).

The list can be obtained via API in CSV and JSON formats. To detect vulnerable drivers by hash, a config for sysmon and a sigma rule for corporate SIEM systems have been developed.

• Examples of vulnerable drivers (with unintentional bugs in the code that allow exploitation of vulnerabilities): capcom.sys and asrdrv10.sys .
• Examples of malicious drivers that are specifically designed for Daxin-style targeted attacks include gtfkyj64.sys and wantd.sys .

Related projects:

• LOLBAS (Living Off The Land Binaries, Scripts and Libraries), a list of dangerous binaries, scripts and libraries for Windows. For each, the official functionality and possible attack vectors are indicated, i.e. how this binary can be used by attackers.
• GTFOBins: A list of 375 Unix binaries that can be used to bypass local security restrictions on misconfigured systems.

Lists of vulnerable Windows drivers are valuable information for attackers themselves to find a way to penetrate a protected system. But we hope that the work of researchers in compiling a catalog of potential threats will do more good than harm.

Driver Signature Verification​

To check the signature of files under Windows and view the certificate chain, it is recommended to use the sigcheck command-line utility. It also supports checking a file in the VirusTotal directory, which aggregates information from 40 antivirus scanners, with the option to upload a file for checking.

For example, to search for all unsigned files in a directory, \Windows\System32use the following command:

sigcheck -u -e c:\windows\system32

Sigcheck shows information about the certificates and publisher of each driver:

In the PowerShell console, you can view details about the drivers with the command Get-ItemProperty:

Get-ItemProperty -Path C:\Users\Administrator\Desktop\5400414768496640\* | Format-list -Property VersionInfo

Result:

VersionInfo: File: \06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4
InternalName: wantd.sys
OriginalFilename: wantd.sys
FileVersion: 6.1.7600.1172
FileDescription: WAN Transport Driver
Product: Microsoft Windows Operating System
ProductVersion: 6.1.7600.1172
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language: English (United States)
…etc.

Information about certificates:

Get-AuthenticodeSignature -FilePath .\Desktop\5400414768496640\*

Result:

SignerCertificate Status Path
----------------- ------ ----
84E01D467068826892F41AF4A48D5493BABE62E9 UnknownError 06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4
84E01D467068826892F41AF4A48D5493BABE62E9 UnknownError 0f82947b2429063734c46c34fb03b4fa31050e49c27af15283d335ea22fe0555
84E01D467068826892F41AF4A48D5493BABE62E9 HashMismatch 3e7724cb963ad5872af9cfb93d01abf7cd9b07f47773360ad0501592848992f4
84E01D467068826892F41AF4A48D5493BABE62E9 Valid 49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530
C61A221389C98EE2FBC0E57A62DEE5A915E6C509 UnknownError 5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae
C61A221389C98EE2FBC0E57A62DEE5A915E6C509 UnknownError 5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a
84E01D467068826892F41AF4A48D5493BABE62E9 Valid 6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f
NotSigned 7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376
NotSigned 81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1
84E01D467068826892F41AF4A48D5493BABE62E9 HashMismatch 8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce
NotSigned 8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e
NotSigned 96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc
NotSigned 9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51
84E01D467068826892F41AF4A48D5493BABE62E9 UnknownError b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427
84E01D467068826892F41AF4A48D5493BABE62E9 HashMismatch b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3
NotSigned c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c
NotSigned e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217
84E01D467068826892F41AF4A48D5493BABE62E9 HashMismatch

Certificate status:

Get-ChildItem C:\Users\Administrator\Desktop\5400414768496640\* | Get-AuthenticodeSignature | ` Select-Object -Property Path,ISOSBinary,SignatureType,Status,StatusMessage | ` Export-CSV C:\temp\Signature.csv -NoTypeInformation

Result:

"Path","IsOSBinary","SignatureType","Status","StatusMessage"
"C:\Users\Administrator\Desktop\5400414768496640\06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4","False","Authenticode","UnknownError","A required certificate is not within its validity period when verify ing against the current system clock or the timestamp in the signed file"
"C:\Users\Administrator\Desktop\5400414768496640\0f82947b2429063734c46c34fb03b4fa31050e49c27af15283d335ea22fe0555","False","Authenticode","UnknownError","A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file"
"C:\Users\Administrator\Desktop\5400414768496640\3e7724cb963ad5872af9cfb93d01abf7cd9b07f47773360ad0501592848992f4","False","Authenticode","HashMismatch","The contents of file C:\ Users\Administrator\Desktop\5400414768496640\3e7724cb963ad5872af9cfb93d01abf7cd9b07f47773360ad0501592848992f4 might have been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature. cannot run on the specified system. For more information, run Get-Help about_Signing."
"C:\Users\Administrator\Desktop\5400414768496640\49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530","False","Authenticode","Valid","Signature verified."
"C:\Users\Administrator\Desktop\5400414768496640\5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae","False","Authenticode","UnknownError","A certificate was explicitly revoked by its issue r"
"C:\Users\Administrator\Desktop\5400414768496640\5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a","False","Authenticode","UnknownError","A certificate was explicitly revoked edited by its issuer"
"C:\Users\Administrator\Desktop\5400414768496640\6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f","False","Authenticode","Valid","Signature verified."
"C:\Users\Administrator\Desktop\5400414768496640\7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376","False","None","NotSigned","The file C:\Users\Administrator \Desktop\5400414768496640\7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376 is not digitally signed. this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170"
"C:\Users\Administrator\Desktop\5400414768496640\81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1","False","None","NotSigned","The file C:\Users\Administ rator\Desktop\5400414768496640\81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1 is not digitally signed You cannot run. this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170"
"C:\Users\Administrator\Desktop\5400414768496640\8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce","False","Authenticode","HashMismatch","The contents of file C: \Users\Administrator\Desktop\5400414768496640\8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce might have been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature. The script cannot run on the specified system. For more information, run Get-Help about_Signing."
"C:\Users\Administrator\Desktop\5400414768496640\8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e","False","None","NotSigned","The file C:\Users\Administ rator\Desktop\5400414768496640\8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e is not digitally signed You cannot run. this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170"
"C:\Users\Administrator\Desktop\5400414768496640\96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc","False","None","NotSigned","The file C:\Users\Administ rator\Desktop\5400414768496640\96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc is not digitally signed You cannot run. this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170"
"C:\Users\Administrator\Desktop\5400414768496640\9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51","False","None","NotSigned","The file C:\Users\Admin istrator\Desktop\5400414768496640\9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51 is not digitally signed. this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170"
"C:\Users\Administrator\Desktop\5400414768496640\b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427","False","Authenticode","UnknownError","A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file"
"C:\Users\Administrator\Desktop\5400414768496640\b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3","False","Authenticode","HashMismatch","The contents of file C:\U sers\Administrator\Desktop\5400414768496640\b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3 might have been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature The script cannot run. on the specified system. For more information, run Get-Help about_Signing."
"C:\Users\Administrator\Desktop\5400414768496640\c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c","False","None","NotSigned","The file C:\Users\Administrator \Desktop\5400414768496640\c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c is not digitally signed. this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170"
"C:\Users\Administrator\Desktop\5400414768496640\e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217","False","None","NotSigned","The file C:\Users\Administrator\Desktop \5400414768496640\e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217 is not digitally signed You cannot run. this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170"
"C:\Users\Administrator\Desktop\5400414768496640\e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e","False","Authenticode","HashMismatch","The contents of file C:\ Users\Administrator\Desktop\5400414768496640\e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e might have been changed by an unauthorized user or process, because the hash of the file does not match the hash stored in the digital signature. cannot run on the specified system. For more information, run Get-Help about_Signing."

Source