CrowdStrike Falcon Prevents Multiple Vulnerable Driver Attacks in Real-World Intrusion

December 02, 2024

| Matt Weiner - Ioan-Cristian Iacob | Endpoint Security & XDR

Over the last 18 months, bring your own vulnerable driver (BYOVD) attacks have escalated significantly as adversaries attempt to bypass endpoint detection and response (EDR) products including the CrowdStrike Falcon® sensor.
BYOVD attacks involve an adversary writing to disk and loading a kernel driver with known vulnerabilities that is then abused to perform privileged operations. This could involve terminating security products, bypassing EDR anti-tampering protections, dumping privileged processes or other actions normally prevented by the Windows operating system or security software.
In early September 2024, a CrowdStrike customer experienced an intrusion where the adversary brought six vulnerable drivers in an attempt to bypass the Falcon sensor. All were detected or blocked by Falcon BYOVD protections.
In total, across endpoints targeted in the intrusion, the customer had 48 alerts stemming from the custom malware execution, use of vulnerable drivers and other malicious activity.

BYOVD Background

BYOVD involves adversaries writing to disk and loading a legitimate, but vulnerable, driver to access the kernel of an operating system. This allows them to evade detection mechanisms and manipulate the system at a deep level, often bypassing protections like EDR. For the exploitation to succeed, attackers must first ensure the driver is brought on the target system. This is followed by the initiation of a privileged process to load the driver, setting the stage for further malicious activities.

Historically, code execution within the Windows kernel had virtually no restrictions, permitting unrestricted memory access. However, this landscape changed with the introduction of Microsoft's security initiatives like PatchGuard and virtualization-based security (VBS) with hypervisor-protected code integrity (HVCI), which have established new protective barriers. Nevertheless, the kernel continues to be an attractive target for malicious actors due to the powerful privileges it offers.

To safeguard the kernel, Windows 64-bit operating systems enforce a requirement that all drivers must be digitally signed to be loaded, a security measure facilitated by the Code Integrity (CI.dll) module known as Driver Signature Enforcement (DSE). This requirement significantly challenges malicious entities attempting to execute inside the kernel space, compelling them to seek alternative methods.

In response to these stringent security measures, adversaries have developed the BYOVD strategy to gain kernel access. Once the driver is in place, it becomes a target for exploitation, enabling attackers to leverage its vulnerabilities to achieve a range of malicious objectives, underscoring the ongoing cat-and-mouse game between security defenders and adversaries in the realm of kernel security.

Some adversary objectives include:

Reading or writing arbitrary kernel memory regions in an attempt to read encryption keys or tamper with OS features
Disabling DSE to allow loading of unsigned malicious drivers
Manually mapping unsigned malicious drivers
Removing kernel callbacks to hinder the visibility of EDR products
Tampering with protected processes or protected registry keys
Performing destructive actions by accessing and overwriting to raw disk sectors
Tampering with CPU model-specific registers (MSR) to control various CPU features
Tampering with protected OS registers
Obtaining handles to protected processes
Hiding objects like processes, network sockets or files

Vulnerable, Weaponizable and Malicious Drivers

To aid detection development, CrowdStrike categorizes abused drivers into three classes: vulnerable, weaponizable and malicious. The former two categories fall under the BYOVD attack chain.

Vulnerable drivers are legitimate drivers with a software flaw that allows attackers to exploit them to perform actions beyond their intended functionality. For example, a flaw could include arbitrary reading and writing of kernel memory in the context of the driver. This would allow loading of a second malicious unsigned driver, bypassing Windows code signing restrictions.

Vulnerable Driver: gdrv.sys

gdrv.sys is a kernel driver developed by Gigabyte. It enables various motherboard enhancements, including hardware management, overclocking and performance optimization.

Older versions of this driver contain multiple vulnerabilities — such as CVE-2018-19320, CVE-2018-19321, CVE-2018-19322 and CVE-2018-19323 — that enable an attacker to perform arbitrary reads and writes to kernel memory, IO ports and MSR registers. One example of its abuse was RobbinHood ransomware, which exploited a vulnerability exposed via the 0xC3502808 input/output control code (IOCTL)¹ to disable DSE with the purpose of loading its own malicious driver. This malicious driver would then be used to remove security software such as EDR tools.

Figure 1. Switch case construct is used to call the custom memcpy instruction when IOCTL 0xC3502808 is invoked by the user mode process

Figure 2. Custom memcpy implementation receiving a custom structure containing the destination and source addresses along with the length of the data to be copied

The driver employs a switch-case statement to direct execution to the code handling the 0xC3502808 IOCTL. It subsequently invokes a custom memcpy implementation, which takes a custom structure specifying the source address, destination address and buffer size to be copied. This memcpy lacks safeguards to restrict who can invoke it or to block memory writes outside the scope of this driver. An attacker can determine addresses of various kernel space structures and leverage this memcpy to write memory within kernel space.

The vendor of this driver acknowledged these vulnerabilities and addressed them in the newer versions of the driver. However, the older version of this driver can still be abused in a BYOVD attack chain.

Weaponizable drivers are a subset of vulnerable drivers that are designed and shipped with specific, legitimate functionalities that malicious actors can repurpose, or “weaponize,” for nefarious purposes rather than exploiting a flaw. An example includes drivers from security products that can terminate protected processes. While intended for legitimate use, these can be leveraged by attackers to adversely tamper with security protections.

Weaponizable Driver: GMER

GMER is a tool designed to help identify rootkits hidden in the operating system kernel. It enables auditing and tampering with various kernel structures to achieve its purpose of identifying and protecting against rootkits. This powerful tool requires a driver to achieve all of this functionally — a driver that has been weaponized by various actors and open-source tooling to terminate or suspend protected processes.

This driver exposes the ZwTerminateProcess kernel API via the 0x9876C094 IOCTL. The user mode process needs to send only the process ID (PID) of the process to be terminated.

Figure 3. IOCTL 0x9876C094 receives the PID of the target process to terminate

Figure 4. Function wrapping the process termination functionality implemented via ZwTerminateProcess

There is a key difference between vulnerable drivers and weaponizable features in drivers. While vulnerabilities are weaknesses that can be fixed with patches from vendors and updates by users, weaponizable features are built-in functionalities. These features cannot be patched away, and vendors will likely continue to offer them as part of their application.

Malicious drivers can be observed within a BYOVD attack chain, as they are often loaded by adversaries following the abuse of a vulnerable driver. Either these drivers are proxy-loaded following a vulnerable driver, or the attacker has obtained a compromised or stolen code signing certificate and directly loads the driver. Malicious drivers often deregister kernel callbacks of known EDR drivers or hide file system, network or registry activity from monitoring.

Malicious Driver: Mimikatz

Mimikatz² is a well-known tool used by security professionals as well as adversaries to extract Windows OS credentials. Once credentials are harvested, these can later be used to achieve lateral movement within the network and compromise other endpoints.

Mimikatz also has a kernel driver that is signed with a legitimate certificate, allowing it to load without disabling Windows DSE. Due to its functionalities, the Mimikatz driver is considered to be malicious software, despite it being written by a security professional.

Weaponizable drivers are favored by many eCrime adversaries due to their capacity to terminate EDR processes and their low barrier to entry, as a secondary malicious driver is not needed. This was the case in the intrusion under discussion, where the attacker brought six weaponizable drivers, indicating a likely attempt to terminate the Falcon sensor. All of these drivers have public proofs of concepts (POCs) available on code sharing websites or are available via the loldrivers project.³

From an Unmanaged Host to a Domain Controller

For the intrusion in focus, the adversary initially moved via psexec.exe from an endpoint without Falcon installed to a corporate domain controller with a Falcon sensor. They performed basic reconnaissance and attempted to set the DisableRestrictedAdmin registry value to zero under the registry key HKLM\System\CurrentControlSet\Control\Lsa via PowerShell to disable Restricted Admin mode on Remote Desktop Protocol (RDP). This exposes credentials during remote connections and facilitates credential theft.

Figure 5. Attempted defense evasion via PowerShell to disable DisableRestrictedAdmin settings in the registry

Once on the domain controller, the adversary attempted to execute malware and load vulnerable drivers for BYOVD attacks.

BYOVD Attempt 1: `TfSysMon.sys`

Initially, the adversary attempted proxy execution of the malware file WatchMgrsCore.exe via wmic.exe using the command-line process call create to indirectly start the process. This execution was blocked by Falcon for suspicious execution via Windows Management Instrumentation (WMI), which appears as the parent process WmiPrvSe.exe.

Figure 6. Attempted proxy execution of WatchMgrsCore.exe prevented by Falcon

The attacker then switched accounts and logged back on to the domain controller via RDP and attempted direct execution of WatchMgrsCore.exe as this user. This execution wrote the driver file TfSysMon.sys to disk and triggered BYOVD protections due to the suspicious IOCTL requests to this driver, which was masquerading as the file C:\Windows\WatchMgrsCore.sys.

TfSysMon.sys is a known vulnerable driver that has been observed being used by eCrime groups. The driver itself is from the application ThreatFire System Monitor and falls into the weaponizable class of vulnerable drivers. In this case, TfSysMon.sys can terminate protected processes — such as EDR products — via a specifically crafted IOCTL request. Falcon detected this malicious request, which was blocked, and the requesting process was killed.

Following this attempt, the adversary attempted to execute five other unique binaries to control the TfSysMon.sys driver:

Table 1. Malicious binaries written to disk by the adversary.
FileName and Path	SHA256
`C:\Users\Public\WatchMgrs.exe`	`667aabfb4fddb117839b0c0fc309dcc2a21af205ec4dabf5db2ab9074a2776cd`
`C:\Users\Public\svc.exe`	`fac69e209c794b514d704f8be80522d53b6fdb3bf1766f2236f1fdb37dca5235`
`C:\Users\Public\veeam.exe`	`9e063d678bff118a4f417cb8d98afde780d217ca13cfc1bc9bd4c57c50241109`
`C:\Users\Public\SvcMgr.exe`	`9d580c2a06f2fef7a7b2d2c969c1cf70371852901e988b30676177a657246950`
`C:\SSL\cert.exe`	`15fa468251dcc8c981521b3f8db9fff62860947597257fc616688d9fd443d651`

All binaries were prevented due to suspicious IOCTL requests to the TfSysMon.sys driver.

Figure 7. veeam.exe process killed following suspicious IOCTL request to the TfSysMon.sys driver

BYOVD Attempt 2: `TrueSight.sys`

The adversary then attempted to switch to a new driver by bringing the new binary C:\Users\Public\syscoreservice.exe. This dropped another known vulnerable driver, TrueSight.sys, masquerading as the file C:\Windows\System32\drivers\truepath.sys. This file is also classed as “weaponizable” and can be used to terminate EDR products. In this case, Falcon detected the driver and quarantined it upon write to disk, thereby denying the adversary any chance to attempt to load it.

Figure 8. Vulnerable driver TrueSight.sys is quarantined when written by malicious file syscoreservice.exe

BYOVD Attempt 3: `aswArPot.sys`

In between failed attempted executions of malicious PowerShell scripts, the adversary copied the well-known vulnerable driver aswArPot.sys to disk as C:\Users\Public\aswArPot.sys. This vulnerable driver was part of Avast Anti-Rootkit and contains API functions that allow termination of protected processes. It has been used by eCrime ransomware adversaries for a number of years. In this case, it was written to disk and immediately quarantined by Falcon, similar to TrueSight.sys.

BYOVD Attempt 4: `viragt64.sys`

The adversary then attempted to stage further malware in a new location under C:\AU_Data\Bin. Two of these files, loader.exe and loader_protected.exe, were detected by CrowdStrike Falcon® Prevent next-gen antivirus (NGAV) and quarantined on write.

Another unique binary was then executed by the attacker: magic.exe. Both the execution command lines and behavior of the binary magic.exe are consistent with a version of EDRKillShifter, as previously documented by Sophos.⁴ In this case, the attacker passed the password string for the loader on the command line via a -pass argument.

This binary was executed and wrote the vulnerable driver viragt64.sys as C:\Users\<REDACTED>\AppData\Local\Temp\20240815.sys. This driver was originally part of the Vir.IT eXplorer Anti-Virus product. Over time, this driver has had a number of associated CVEs that allow arbitrary code execution in the kernel. Again, the driver was detected upon being written to disk as part of Falcon BYOVD protection and was quarantined.

Figure 9. Malicious file, magic.exe, is blocked from writing viragt64.sys to disk, and the driver is subsequently quarantined

The adversary attempted multiple executions of magic.exe, and all of them resulted in the driver being quarantined or the driver loading process being killed. The magic.exe loader programmatically attempted to start the driver via Service Control with a service masquerading as the name of a Microsoft Knowledge Base update using the command lines “sc create KB20240815 binpath= C:\Users\<REDACTED>\AppData\Local\Temp\20240815.sys type= kernel start=auto” and “sc start KB20240815.” Falcon killed this Service Control process.

Figure 10. Falcon detection for a malicious kernel service creation spawning from magic.exe

BYOVD Attempt 5: `rentdrv2.sys`

The adversary persisted and attempted to copy another vulnerable driver — rentdrv2.sys — to disk, masquerading as C:\AU_Data\1721289943.sys.⁵ Rentdrv2.sys is also vulnerable, with a weaponizable capability to terminate protected processes. Once again, upon being written by the explorer.exe process, Falcon quarantined the file and denied the adversary the opportunity to abuse it.

BYOVD Attempt 6: `ksapi64.sys`

Approximately nine days later, the adversary returned to reattempt compromise of the customer’s network. Using a new user account, they accessed the same domain controller via RDP and wrote another vulnerable driver and five other unique binaries. Three of these binaries were detected by Falcon Prevent NGAV. The vulnerable driver was a weaponizable driver, ksapi64.sys, which is part of the Kingsoft Antivirus Security System and can be abused to kill protected processes. The driver was masquerading as C:\Users\Public\WinDAPI.sys and C:\Users\Public\WinDAPI64.sys, and it was quarantined on each write attempt. The other malicious binaries (shown in Table 2) were ineffective when executed by the attacker.

Table 2. Second batch of malicious binaries written to disk
Filename and Path	SHA256
`C:\Users\Public\winapi64.exe`	`84342134651305615efec28511c7e25f3891fed6407062198c70013fdde0d9be`
`C:\Users\<REDACTED>\Desktop\dap.exe`	`0baac5f996e113fbe2e55bd7cc7dcd24ef7beeea10df12f87581b525438e8ea7`
`C:\Users\<REDACTED>\Desktop\api64.exe`	`efb4f88f843125285ce28c37b2971547e54800b4d1a3e9bbd3e4b04b0fd07f00`
`C:\Users\<REDACTED>\Desktop\dapi.exe`	`efb4f88f843125285ce28c37b2971547e54800b4d1a3e9bbd3e4b04b0fd07f00`
`C:\Users\<REDACTED>\Desktop\dapi64.exe`	`1abd7e28156c4992641bebefa4e210c9e6e9601ebb78e690b3324f738804d7ee`

Figure 11. List of drivers and malware quarantined via Falcon Vulnerable Driver Protection and Falcon Prevent NGAV

CrowdStrike Falcon Layered BYOVD Protection

Preventing BYOVD attacks starts with having a large corpus of telemetry and intelligence to identify new and emerging vulnerable drivers. CrowdStrike detection engineers analyze the wide range of intrusion data available from our CrowdStrike Falcon® Complete Next-Gen MDR service, CrowdStrike® Falcon Adversary OverWatch™ threat hunters and over one trillion weekly events from our customers to identify new and suspicious drivers that warrant further investigation.

These drivers of interest are analyzed by a dedicated team of reverse engineers who specialize in vulnerable drivers. This team has analyzed thousands of drivers that could be used in BYOVD attacks to provide extensive protection beyond publicly known drivers.

From this work, CrowdStrike Falcon implements layered protection against BYOVD threats. Once a driver is proven to be vulnerable, varied and overlapping detections are created to detect their abuse. This can cover suspicious driver loading, kernel service registration, driver-written events or IOCTL usage. This ensures even unknown drivers can be detected through their behavioral characteristics and overlapping protection is provided.

Recommended Prevention Settings

For the most comprehensive BYOVD coverage, customers should enable “Suspicious Process Prevention,” “Additional User Mode Data Visibility,” “Driver Load Prevention” and “Vulnerable Driver Protection.” All require a Falcon Prevent subscription and sensor version 7.05 or higher.

Figure 12. Recommended vulnerable driver load prevention settings

Indicators of Compromise

Observed Malware

Filename	Observations	SHA256 Hash
`WatchMgrsCore.exe`	Wrote `TfSysMon.sys` to disk and attempted to load that driver	821428d230a807049ac600205b3fb1cb8af24d1056b47e421914e57b36f5b3e5
`WatchMgrs.exe`	Unknown, likely failed to properly execute	476da1c67727bbf8f6e2778d1c8e30284f82fa42d3d094c29e6e38250fb5e6d9
`WatchMgrs.exe`	Attempted suspicious IOCTL requests to `TfSysMon.sys`	667aabfb4fddb117839b0c0fc309dcc2a21af205ec4dabf5db2ab9074a2776cd
`svc.exe`	Attempted suspicious IOCTL requests to `TfSysMon.sys`	fac69e209c794b514d704f8be80522d53b6fdb3bf1766f2236f1fdb37dca5235
`veeam.exe`	Unknown, likely failed to properly execute	881b4b5d72bf1b080fd68ecb9483c69cb7d3c0e9f86a13f433223a6877d230ba
`veeam.exe`	Attempted suspicious IOCTL requests to `TfSysMon.sys`	9e063d678bff118a4f417cb8d98afde780d217ca13cfc1bc9bd4c57c50241109
`SvcMgr.exe`	Attempted suspicious IOCTL requests to `TfSysMon.sys`	9d580c2a06f2fef7a7b2d2c969c1cf70371852901e988b30676177a657246950
`cert.exe`	Attempted suspicious IOCTL requests to `TfSysMon.sys`	15fa468251dcc8c981521b3f8db9fff62860947597257fc616688d9fd443d651
`syscoreservice.exe`	Writes `TrueSight.sys` driver and spawns service control (`sc.exe`) to load and start the driver.	61fd2a767705a6309b4a57e499fd6ffc5ad9667bc4464f0b48b2cf15900e0fcd
`loader.exe`	Likely EDRKillShifter loader	b2a2e8e0795b2f69d96a48a49985fb67d22d1c6e8b40dadd690c299b9af970d4
`loader_protected.exe`	Likely EDRKillShifter loader	9b304918e88dcee2cd18d201fb94ed756a4855492446fc1a2658785a85a850c0
`magic.exe`	Likely EDRKillShifter loader	1f1d3587e458dd883f9ca282fbf559115334a993ba111ec2296e94de8a6fab83
`winapi64.exe`	Writes `ksapi64.sys` to disk. Likely custom EDR killer	84342134651305615efec28511c7e25f3891fed6407062198c70013fdde0d9be
`dap.exe`	Writes `ksapi64.sys` to disk. Likely custom EDR killer	0baac5f996e113fbe2e55bd7cc7dcd24ef7beeea10df12f87581b525438e8ea7
`api64.exe`	Quarantined by NGAV on write	efb4f88f843125285ce28c37b2971547e54800b4d1a3e9bbd3e4b04b0fd07f00
`dapi.exe`	Quarantined by NGAV on write	efb4f88f843125285ce28c37b2971547e54800b4d1a3e9bbd3e4b04b0fd07f00
`dapi64.exe`	Quarantined by NGAV on write	1abd7e28156c4992641bebefa4e210c9e6e9601ebb78e690b3324f738804d7ee

Written Vulnerable Drivers

Filename	Driver	Authenticode SHA256 Hash	SHA256 Hash
`WatchMgrsCore.sys`	TfSysMon driver	57bdc10ea85c3a4472a5614e3e8de27c6ae128b41b9b75910de7e0fdf1324bd0	235150d847d07bc6b11282c01243ebd01570fa079a2798cacc34f8dfe6bebc00
`truepath.sys`	TrueSight driver	60d4aaae13d250ca2a242d758fecd7928616a86a4ac73f1bf2ac2f3127646a0e	4a4899da2070261eff91c71e2fb1f8ae66be95850191ee6c49e95fdc2133d038
`aswArPot.sys`	Avast Anti-Rootkit driver	c0c131bc8d6c8b5a2be32474474b1221bce1289c174c87e743ed4a512f5571d4	4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1
`20240815.sys`	Viragt64 driver	54e969dc477af9a3e5b53dc4edaebc41a7b73c87ecca13dc1fbb8dfc86c0fd78	58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495
`1721289943.sys`	Rentdrv2 driver	b3c9af8c4be8f62d25b955f92d2a4e9ebd34f7fa787580454ef54241102e7b30	9165d4f3036919a96b86d24b64d75d692802c7513f2b3054b20be40c212240a5
`WinDAPI64.sys` `WinDAPI.sys`	Ksapi Driver	31ce60480166e9ebef758b66f770f3fea86dd429da27fc5eed755c3d8c4e20fa	1cd219f58b249a2e4f86553bdd649c73785093e22c87170798dae90f193240af

Endnotes

1. IOCTLs are special codes used in input request rackets (IRPs) to enable communication between user mode processes and kernel device drivers. They provide a standardized way for applications to request specific actions from devices, such as reading or writing data, controlling device settings, or retrieving device information.

2. Available at https://github.com/gentilkiwi/mimikatz.

3. loldrivers is an open-source repository for known vulnerable drivers that could be used in BYOVD attacks, available at https://www.loldrivers.io/.

4. See https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/.

5. The file was copied to disk via explorer.exe but has a file name consistent with it being part of EDRKillShifter malware. The file name corresponds to a UNIX timestamp of 18 July 2024 08:05:43 UTC.

Aflac Drives Consolidation with the Falcon Platform, Eliminating 15 Point Security Tools in Three Years

Privacy
Request Info
Blog
Contact Us
1.888.512.8906
Accessibility