Exploiting Vulnerable Drivers

Often, attackers will attempt to prevent security software from interfering with their attack chains by abusing a vulnerable driver to kill or otherwise disable the system’s security software (antivirus/edr/etc). Because drivers run in highly-privileged OS Kernel mode, it is difficult to prevent attackers from achieving their goals if they manage to achieve code execution in the kernel.

To ensure that only legitimate code gets to run in the kernel, Windows requires that the driver code bear an Authenticode signature from a particular certificate authority. Microsoft signs these drivers only after verifying their provenance and running through various driver-verification suites to help ensure their robustness.

However, even if all of the drivers on a system are legitimate, attackers have had success in finding vulnerabilities in legitimate drivers that allow them to abuse the driver to achieve their goals. Like any code, some drivers have bugs that allow them to corrupt memory, leak data that needs to be secret, or otherwise perform functions unintended by the original author. These vulnerable drivers represent a critical attack surface that attackers abuse to achieve their own ends.

Beyond abusing drivers already present on a victim device, in a BYOVD attack (Bring your own vulnerable driver) an attacker drops a vulnerable driver onto the device, then abuses it with their malware.

To address this threat vector, Microsoft has three main mechanisms:

1. Exploitable driver blocklist – Enforced by the Windows kernel itself, allows blocking the load of drivers known to be vulnerable.
2. Microsoft Defender Attack Surface Reduction rule – Enforced by Microsoft Defender, prevents writing of known vulnerable drivers to the system. By preventing the write of the driver before it loads, the risk of compatibility problems is somewhat reduced (because in a legitimate scenario, the installer for the device will fail at install time rather than at runtime).
3. Microsoft Defender Signatures – Enforced by Microsoft Defender Antivirus, blocks vulnerable drivers directly using the AV engine. This approach is appropriate only for drivers under active exploitation and with little legitimate use.