How can attacks bypass Windows Driver Signature Enforcement?
Security researchers demonstrated how a new fileless attack technique can bypass a Windows kernel protection feature at Black Hat 2018. Find out how the technique works.
Researchers at cybersecurity vendor Endgame Inc. demonstrated a proof of concept for a new fileless attack technique at Black Hat 2018. The technique bypasses a Windows kernel protection feature called Driver Signature Enforcement. How does this attack work?
The use of a fileless attack is often not fileless, and it may even have the ability to use some of the same techniques as living off the land attacks. While there is confusion about what a fileless attack is, it's clear the attack techniques bypass traditional antivirus software.
One misconception about fileless attacks is that a file must be present on the local system for it to be executed on the endpoint. For example, Windows has built-in functionality that enables a file to be executed or loaded over the network. This can take place even if the file is not on a mapped drive, and this functionality has important, legitimate applications, including managing software from a central location and distributing software updates.
Endgame security researchers found a way to load a vulnerable Windows driver using the Web Distributed Authoring and Versioning protocol extension for HTTP from a remote system. Windows versions since Vista have included policy protections via Driver Signature Enforcement, which only allows signed drivers to load, thus protecting the Windows kernel. Once attackers have access to the kernel, they can bypass most of the other protections running on the system.
Likewise, some signed drivers have vulnerabilities that allow an attacker to gain access to the kernel. The Endgame security researchers used a vulnerability in a driver to execute code on the endpoint to load their malware into the kernel, allowing them to completely take over the endpoint.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)