SlideShare a Scribd company logo

Kernel Mode Threats and Practical Defenses

Priyanka Aash, profile picture
Priyanka Aash

The document outlines the evolution of kernel mode threats and associated defenses, detailing various types of malware and their evasion techniques. It discusses key countermeasures such as driver signature enforcement and secure boot, as well as advanced virtualization-based security measures. Additionally, it highlights the importance of proactive monitoring and the use of innovative tactics to identify and mitigate kernel-level attacks.

Technology
1 of 52
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
KERNEL MODE THREATS AND PRACTICAL DEFENSES Joe Desimone Gabriel Landau
ABOUT US Joe Desimone Senior Malware Researcher Interests include offensive security research, reverse engineering, threat intelligence, and development of endpoint protections. Gabriel Landau Principal Software Engineer Past work includes product & DRM evaluation, malware RE, and offensive security research. Interests include Windows internals, with a focus development of endpoint protections. @gabriellandau @dez_
AGENDA PART 1 Evolution of kernel mode threats and platform protections PART 2 Offensive tradecraft to evade platform protections PART 3 Augmenting OS defenses
WHY THE KERNEL? Defense Evasion • Hide processes, files, registry keys, network activity • Entrenchment/Persistence • Lack of visibility into kernel Privilege Escalation • Same privilege as security software EVOLUTION
FIRST GENERATION KERNEL MALWARE Rustock (~2007) • Infect Windows drivers on disk • Standard rootkit functionality TDSS/TDL-1 (~2008) • Reg/File/Process/Network hiding • Infect driver ZeroAccess (~2009) • Overwrite random driver • Hidden encrypted NTFS volume • x86 only EVOLUTION
PatchGuard • Detect kernel patching/hooks à BSOD • First on XP SP3 x64 (~2005) Driver Signature Enforcement (DSE) • All drivers must be digitally signed • First on Vista x64 (~2007) Both defenses became more important as x64 market share grew NEW OS DEFENSES EVOLUTION
BOOTKITS EEye Bootroot (2005) • First public POC Mebroot AKA Sinowal (~2008) • NDIS hook to evade FW TLD4 (~2010) • Replace kdcom.dll to gain early execution • Modify Boot Config Data (BCD) to disable DSE Replace MBR (or VBR), gain execution before OS. Xpaj (~2012) • Set hooks before PG initialization EVOLUTION
COUNTERING BOOTKITS Secure Boot • UEFI validates integrity of OS bootloader • First support was Windows 8 (~2012) Trusted Boot • Each component of early windows boot process is verified by signature Intel Boot Guard • Root of trust in hardware (CPU) Intel BIOS Guard • Secure BIOS Updates EVOLUTION
BRING YOUR OWN VULN Uroburos / Turla • Exploit VBox driver • Disable DSE by modifying g_CiEnabled • Disable PatchGuard via RtlCaptureContext hook Derusbi • Exploit Novell driver • Disable DSE by modifying CiOptions • Also used stolen certificates Slingshot • Exploit Sandra driver • Hide network traffic Bring a signed, vulnerable driver. Use it to bootstrap into kernel. EVOLUTION
DUQU 2.0 • Main payload used 0day in win32k.sys for kernel execution (CVE-2015-2360) • Hooked IAT of Kaspersky driver to spoof process information • Allowed user mode component to become trusted ksp process • Separate driver used for persistence in DMZ • Used stolen Foxconn certificate • Redirect traffic with NDIS filtering EVOLUTION
• Volatile kernel mode implant • Loaded via remote ring0 exploit (ex ETERNALBLUE) • Evade PatchGuard by hooking srv!SrvTransactionNotImplemented pointer • Injects DLLs into usermode via APCs DOUBLEPULSAR EVOLUTION
VIRTUALIZATION BASED SECURITY • VTL1 – new Secure Kernel, trustlets • VTL0 – normal Kernel, drivers • Extended Page Tables (SLAT/EPT) to guard access • IOMMU to protect from DMA access • Hypervisor Code Integrity (HVCI) • All kernel code must be signed, (W^X) • Credential Guard EVOLUTION
Attacker Initial Kernel Malware – Rustock, TDSS, ZeroAccess Defender First Kernel Defenses – Patchguard and Driver Signature Enforcement (DSE) Defender Countering Bootkits – SecureBoot, Trusted Boot, Boot Guard, etc. Defender Virtualization Based Security (VBS) Attacker BootKit Malware – Sinowal, TDL4, Xpaj Attacker Exploit To Load Driver – Uroburos, Duqu2, DoublePulsar EVOLUTION
KERNEL MITIGATIONS ACROSS WINDOWS VERSIONS EVOLUTION
Adoption Rate Windows 10 is less than half of worldwide installations. How many are HVCI? EVOLUTION
AGENDA PART 1 Evolution of kernel mode threats and platform protections PART 2 Offensive tradecraft to evade platform protections PART 3 Augmenting OS defenses
INTERNAL RvB FILELESS KERNEL MODE IMPLANT • Evade Blue Team by moving to the kernel • Kernel dev environment • VS 2015, Windows Driver Kit (WDK) 10 • Virtual KD / Windbg • Turla Driver Loader (TDL) EVASION
IMPLANT DESIGN • Kernel mode ONLY • Winsock Kernel (WSK) for C2 • Triggerable (no beacons) • Basic backdoor functionality EVASION
Confidential and Proprietary 19 IMPLANT LOADER Script .NET Native Squiblydoo XSL / Jscript PowerShell DotNetToJS .NET MemoryModule TDL / Exploit EVASION
STAYING DISKLESS NETWORK DRIVER LOAD • Avoid dropping driver to disk by loading it with WebDAV: • ZwLoadDriver(DeviceWebDavRedirector;127.0.0.1@8000exploitable.sys) • Sysmon path conversion bug EVASION
STEALTHY NETWORK COMMS EVASION
STEALTHY NETWORK COMMS EVASION
DEMO EVASION
• Virtual box driver vulnerability is a no-go, won't even load under HVCI • Step one was to find a vulnerable driver which could load under HVCI. www.greyhathacker.net has tons of POCs (Parvez Anwar) • BYOV – Bring your own vulnerability. Choose wisely! • Static 1-byte write vs • Write *what where EVADING VBS / HVCI EVASION
• Modification of kernel memory can significantly compromise the integrity of the system • IAT patching • Even if IAT was protected by VBS, there are many other targets • Disable EDR kernel-user communications • Disable security focused kernel ETW providers • Microsoft-Windows-Threat-Intelligence • Elevate Privileges – Token or Handle • Data / Data Corruption EVADING VBS / HVCI DATA DRIVEN ATTACKS EVASION
EVASION
EVASION
EVASION
• Create a "surrogate" thread, put it to sleep • Find location of stack [_ETHREAD] • Build rop chain • Hook stack -> overwrite NtWaitForSingleObject pointer with pivot gadget • Resume thread (ReleaseMutex) EVADING VBS / HVCI CODE RE-USE EVASION
• Dynamically build chain based on number of arguments in target function • We have 10 gadgets for full N-Argument function call • Pivot (pop rsp, ret) • Restore the 16 bytes overwritten on the stack • Setup arguments in registers/stack • Call target function • Save return value (rax) • Restore R14 (mutex object) • Unpivot EVADING VBS / HVCI CODE RE-USE EVASION
EXAMPLE - WriteProcessMemory EVASION
EVASION DEMO
AGENDA PART 3 Augmenting OS defenses PART 1 Evolution of kernel mode threats and platform protections PART 2 Offensive tradecraft to evade platform protections
• You should very carefully monitor driver load events • Look for low prevalence drivers • Identify known-exploited drivers (blacklist) • Free Instrumentation: • Sysmon Event ID 6: Driver loaded • Windows Defender Application Control (DG) Audit Mode DRIVER EVENTING EVOLUTION DEFENSES
• Limit kernel drivers to WHQL REDUCING ATTACK SURFACE EVOLUTION DEFENSES
• Blacklisting Exploitable Drivers • Default in Win10 RS5 HVCI • Endgame Kernel Attack Surface Reduction (KASR) • No configuration required • Free. Available at www.endgame.com REDUCING ATTACK SURFACE EVOLUTION DEFENSES
Full memory acquisition and offline analysis does not scale Problem Leverage the same techniques to read kernel memory at the endpoint and perform analysis on the endpoint • DevicePhysicalMemory • MmMapIoSpace • MmMapMemoryDumpMdl • Page Table Entry (PTE) Remapping Solution EVOLUTIN DEFENSES KERNEL MEMORY COLLECTION
• Page Table Entry (PTE) remapping • Invented by Stüttgen and Cohen • Most performant in testing • More resilient to tampering from rootkits (No API to hook) • Based on CPU architecture, so it is cross-OS-compatible • Modify the PTE of a controlled chunk of memory to point to where you want to read KERNEL MEMORY COLLECTION EVOLUTION DEFENSES
• Generically detect function pointer hook • Locate function pointers by walking relocation tables • Endgame Marta • Free. Available at www.endgame.com FUNCTION POINTER INTEGRITY SCAN Originally pointed to +X section in on- disk copy of driver Does not point to a loaded driver in memory Points to executable memory Consider a hit if… EVOLUTION DEFENSES
Performance Monitoring Unit (PMU) • Built into most CPUs in the last decade • Programmable to count specific events • Can generate an interrupt when a certain number of events occur Detect unbacked kernel shellcode / unbacked drivers • Program PMU to fire interrupts on some event likely to occur inside unbacked driver. • When interrupt fires, validate IP belongs to a driver REALTIME DETECTION OF UNBACKED KERNEL CODE DEFENSES
DEFENSESDEMO DEFENSESDEMO
Weaknesses • FP from unbacked drivers (including PatchGuard) • Vulnerable to PMU disablement via MSR • Detection driver is susceptible to data attacks EVOLUTION DEFENSES REALTIME DETECTION OF UNBACKED KERNEL CODE
• MemoryMon • Leverage EPT to detected unbacked kernel code execution • AllMemPro • Mitigates data attacks by isolating driver data with hypervisor • Based on same platform as MemoryMon • SecVisor • CMU research from 2007 • Early implementation of hypervisor enforced code integrity HYPERVISOR APPROACHES EVOLUTION DEFENSES
HARDENING THE WINDOWS KERNEL AGAINST ROP EVOLUTION DEFENSES
• CFG provides forward-edge CFI, but there is no reverse-edge CFI • RFG was cancelled • Intel CET requires future hardware HARDENING THE WINDOWS KERNEL AGAINST ROP IDEA Provide reverse-edge kernel CFI using the PMU EVOLUTION DEFENSES
ROP tends to generate lots of mispredictions • Scan drivers to identify call/return sites • Configure LBR to record CPL0 near returns • Configure PMU fire PMI when BR_MISP_RETIRED counter overflows • Validate every new LBR entry is call-preceded Performance • Protection tunable from deterministic to probabilistic • JetStream benchmark on Intel Skylake 6700K: ~1.1% overhead EVOLUTION DEFENSES HARDENING THE WINDOWS KERNEL AGAINST ROP
DEFENSESDEMO
• Limitations • Vulnerable to malicious drivers. Hypervisor protection needed. • wrmsr IA32_PERF_GLOBAL_CTRL, 0 • Data attack against policy bitmap • Requires available PMU and LBR • No VMware/Hyper-V support • Incompatible with obfuscated drivers • Windows ships with two: clipsp.sys and peauth.sys • Something similar exists on Linux EVOLUTION DEFENSES HARDENING THE WINDOWS KERNEL AGAINST ROP
• Windows platform security has gotten much better in the last decade. However, kernel mode threats are still a big concern • Use Windows 10 with SecureBoot and HVCI • Require EV/WHQL drivers via code integrity policy • Monitor and hunt on driver load events CONCLUSION
QUESTIONS?
• https://www.virusbulletin.com/virusbulletin/2008/08/yet-another-rustock-analysis • https://securelist.com/rustock-and-all-that/36217/ • https://securelist.com/tdss/36314/ • https://people.eecs.berkeley.edu/~pearce/papers/zeroaccess_tr_2013.pdf • https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-zeroaccess-infection-analysis-12-en.pdf • https://nakedsecurity.sophos.com/zeroaccess/ • https://msdn.microsoft.com/en-us/library/bb530195.aspx • https://securelist.com/tdss-tdl-4/36339/ • https://www.coseinc.com/en/index.php?rt=download&act=publication&file=TDL4_Carrier_to_Glupteba.pdf • https://resources.infosecinstitute.com/uefi-and-tpm/ • http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf • https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf • https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf • https://www.sekoia.fr/blog/windows-driver-signing-bypass-by-derusbi/ EVOLUTION REFERENCES REFERENCES
• https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf • https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205202/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf • https://securelist.com/the-duqu-2-0-persistence-module/70641/ • https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html • http://www.alex-ionescu.com/blackhat2015.pdf • http://gs.statcounter.com/windows-version-market-share/desktop/worldwide/ • https://github.com/hfiref0x/TDL • http://www.greyhathacker.net • https://posts.specterops.io/threat-detection-using-windows-defender-application-control-device-guard-in-audit-mode-602b48cd1c11 • https://www.dfrws.org/sites/default/files/session-files/pres-anti-forensic_resilient_memory_acquisition.pdf • https://www.cs.cmu.edu/~arvinds/pubs/secvisor.pdf • https://github.com/tandasat/MemoryMon • https://igorkorkin.blogspot.com/2018/03/hypervisor-based-active-data-protection.html • https://infocon.org/cons/SyScan/SyScan%202013%20Singapore/SyScan%202013%20Singapore%20presentations/SyScan2013_DAY1_SPEAKER05_Georg_WIcherski_Taming_ROP _ON_SANDY_BRIDGE_syscan.pdf • https://recon.cx/2015/slides/recon2015-05-peter-hlavaty-jihui-lu-This-Time-Font-hunt-you-down-in-4-bytes.pdf EVOLUTION REFERENCES REFERENCES

More Related Content

PDF
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
The Linux Foundation
 
PDF
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
The Linux Foundation
 
PDF
Scale 12x Securing Your Cloud with The Xen Hypervisor
The Linux Foundation
 
PPTX
µ-Xen
Lars Kurth
 
PDF
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
The Linux Foundation
 
PDF
LFNW2014 Advanced Security Features of Xen Project Hypervisor
The Linux Foundation
 
PDF
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat Security Conference
 
PDF
Securing your Cloud with Xen - SUSECon 2013
The Linux Foundation
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
The Linux Foundation
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
The Linux Foundation
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
The Linux Foundation
 
µ-Xen
Lars Kurth
 
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
The Linux Foundation
 
LFNW2014 Advanced Security Features of Xen Project Hypervisor
The Linux Foundation
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat Security Conference
 
Securing your Cloud with Xen - SUSECon 2013
The Linux Foundation
 

What's hot (20)

PDF
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
The Linux Foundation
 
PDF
Intel update
The Linux Foundation
 
PDF
Rootlinux17: An introduction to Xen Project Virtualisation
The Linux Foundation
 
PDF
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
The Linux Foundation
 
PDF
Xen and the art of embedded virtualization (ELC 2017)
Stefano Stabellini
 
PDF
LCA13: Xen on ARM
Linaro
 
PDF
BlueHat v18 || An ice-cold boot to break bit locker
BlueHat Security Conference
 
PDF
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
The Linux Foundation
 
PDF
Build-a-Cloud Day - Securing Your Cloud with Xen
The Linux Foundation
 
PDF
31c3 Presentation - Virtual Machine Introspection
Tamas K Lengyel
 
PPTX
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
The Linux Foundation
 
PDF
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
The Linux Foundation
 
PDF
Platform Security Summit 18: Xen Security Weather Report 2018
The Linux Foundation
 
PDF
XPDDS18: Xen Project Weather Report 2018
The Linux Foundation
 
PDF
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
PDF
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
The Linux Foundation
 
PDF
Xen and Client Virtualization: the case of XenClient XT
The Linux Foundation
 
PDF
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
The Linux Foundation
 
PDF
Xen Project 15 Years down the Line
The Linux Foundation
 
ODP
Virtual Machine Introspection with Xen on ARM
Tamas K Lengyel
 
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
The Linux Foundation
 
Intel update
The Linux Foundation
 
Rootlinux17: An introduction to Xen Project Virtualisation
The Linux Foundation
 
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
The Linux Foundation
 
Xen and the art of embedded virtualization (ELC 2017)
Stefano Stabellini
 
LCA13: Xen on ARM
Linaro
 
BlueHat v18 || An ice-cold boot to break bit locker
BlueHat Security Conference
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
The Linux Foundation
 
Build-a-Cloud Day - Securing Your Cloud with Xen
The Linux Foundation
 
31c3 Presentation - Virtual Machine Introspection
Tamas K Lengyel
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
The Linux Foundation
 
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
The Linux Foundation
 
Platform Security Summit 18: Xen Security Weather Report 2018
The Linux Foundation
 
XPDDS18: Xen Project Weather Report 2018
The Linux Foundation
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
The Linux Foundation
 
Xen and Client Virtualization: the case of XenClient XT
The Linux Foundation
 
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
The Linux Foundation
 
Xen Project 15 Years down the Line
The Linux Foundation
 
Virtual Machine Introspection with Xen on ARM
Tamas K Lengyel
 
Ad

Similar to Kernel Mode Threats and Practical Defenses (20)

PDF
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
PDF
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
NETWAYS
 
PDF
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel
 
PDF
Fuzzing_with_Xen.pdf
distortdistort
 
PDF
Dockers zero to hero
Nicolas De Loof
 
PPTX
Venom vulnerability Overview and a basic demo
Akash Mahajan
 
PDF
Linux container & docker
ejlp12
 
PDF
Security Challenges of Antivirus Engines, Products and Systems
Antiy Labs
 
PPTX
Metasploit & Windows Kernel Exploitation
zeroSteiner
 
PPTX
Bridging the Semantic Gap in Virtualized Environment
Andy Lee
 
PPTX
Practical Windows Kernel Exploitation
zeroSteiner
 
PDF
Qinghai Tang, pacsec english-version-final
PacSecJP
 
PDF
how-to-bypass-AM-PPL
nitinscribd
 
PPTX
Review of Hardware based solutions for trusted cloud computing.pptx
ssusere142fe
 
PDF
Container Security Mmanagement
Suresh Thivanka Rupasinghe
 
PDF
Implementing SR-IOv failover for Windows guests during live migration
Yan Vugenfirer
 
PPTX
Fortinet sandboxing
Nick Straughan
 
PDF
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
PDF
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
PDF
DEF CON 27 - JESSE MICHAEL - get off the kernel if you can't drive
Felipe Prado
 
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
NETWAYS
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel
 
Fuzzing_with_Xen.pdf
distortdistort
 
Dockers zero to hero
Nicolas De Loof
 
Venom vulnerability Overview and a basic demo
Akash Mahajan
 
Linux container & docker
ejlp12
 
Security Challenges of Antivirus Engines, Products and Systems
Antiy Labs
 
Metasploit & Windows Kernel Exploitation
zeroSteiner
 
Bridging the Semantic Gap in Virtualized Environment
Andy Lee
 
Practical Windows Kernel Exploitation
zeroSteiner
 
Qinghai Tang, pacsec english-version-final
PacSecJP
 
how-to-bypass-AM-PPL
nitinscribd
 
Review of Hardware based solutions for trusted cloud computing.pptx
ssusere142fe
 
Container Security Mmanagement
Suresh Thivanka Rupasinghe
 
Implementing SR-IOv failover for Windows guests during live migration
Yan Vugenfirer
 
Fortinet sandboxing
Nick Straughan
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
DEF CON 27 - JESSE MICHAEL - get off the kernel if you can't drive
Felipe Prado
 
Ad

More from Priyanka Aash (20)

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
Priyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
Priyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
Priyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
Priyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
Priyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
Priyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
Priyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
Priyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
Priyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
Priyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
Priyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
Priyanka Aash
 
Keynote : Presentation on SASE Technology
Priyanka Aash
 
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 

Recently uploaded (20)

PDF
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 

Kernel Mode Threats and Practical Defenses

  • 1. KERNEL MODE THREATS AND PRACTICAL DEFENSES Joe Desimone Gabriel Landau
  • 2. ABOUT US Joe Desimone Senior Malware Researcher Interests include offensive security research, reverse engineering, threat intelligence, and development of endpoint protections. Gabriel Landau Principal Software Engineer Past work includes product & DRM evaluation, malware RE, and offensive security research. Interests include Windows internals, with a focus development of endpoint protections. @gabriellandau @dez_
  • 3. AGENDA PART 1 Evolution of kernel mode threats and platform protections PART 2 Offensive tradecraft to evade platform protections PART 3 Augmenting OS defenses
  • 4. WHY THE KERNEL? Defense Evasion • Hide processes, files, registry keys, network activity • Entrenchment/Persistence • Lack of visibility into kernel Privilege Escalation • Same privilege as security software EVOLUTION
  • 5. FIRST GENERATION KERNEL MALWARE Rustock (~2007) • Infect Windows drivers on disk • Standard rootkit functionality TDSS/TDL-1 (~2008) • Reg/File/Process/Network hiding • Infect driver ZeroAccess (~2009) • Overwrite random driver • Hidden encrypted NTFS volume • x86 only EVOLUTION
  • 6. PatchGuard • Detect kernel patching/hooks à BSOD • First on XP SP3 x64 (~2005) Driver Signature Enforcement (DSE) • All drivers must be digitally signed • First on Vista x64 (~2007) Both defenses became more important as x64 market share grew NEW OS DEFENSES EVOLUTION
  • 7. BOOTKITS EEye Bootroot (2005) • First public POC Mebroot AKA Sinowal (~2008) • NDIS hook to evade FW TLD4 (~2010) • Replace kdcom.dll to gain early execution • Modify Boot Config Data (BCD) to disable DSE Replace MBR (or VBR), gain execution before OS. Xpaj (~2012) • Set hooks before PG initialization EVOLUTION
  • 8. COUNTERING BOOTKITS Secure Boot • UEFI validates integrity of OS bootloader • First support was Windows 8 (~2012) Trusted Boot • Each component of early windows boot process is verified by signature Intel Boot Guard • Root of trust in hardware (CPU) Intel BIOS Guard • Secure BIOS Updates EVOLUTION
  • 9. BRING YOUR OWN VULN Uroburos / Turla • Exploit VBox driver • Disable DSE by modifying g_CiEnabled • Disable PatchGuard via RtlCaptureContext hook Derusbi • Exploit Novell driver • Disable DSE by modifying CiOptions • Also used stolen certificates Slingshot • Exploit Sandra driver • Hide network traffic Bring a signed, vulnerable driver. Use it to bootstrap into kernel. EVOLUTION
  • 10. DUQU 2.0 • Main payload used 0day in win32k.sys for kernel execution (CVE-2015-2360) • Hooked IAT of Kaspersky driver to spoof process information • Allowed user mode component to become trusted ksp process • Separate driver used for persistence in DMZ • Used stolen Foxconn certificate • Redirect traffic with NDIS filtering EVOLUTION
  • 11. • Volatile kernel mode implant • Loaded via remote ring0 exploit (ex ETERNALBLUE) • Evade PatchGuard by hooking srv!SrvTransactionNotImplemented pointer • Injects DLLs into usermode via APCs DOUBLEPULSAR EVOLUTION
  • 12. VIRTUALIZATION BASED SECURITY • VTL1 – new Secure Kernel, trustlets • VTL0 – normal Kernel, drivers • Extended Page Tables (SLAT/EPT) to guard access • IOMMU to protect from DMA access • Hypervisor Code Integrity (HVCI) • All kernel code must be signed, (W^X) • Credential Guard EVOLUTION
  • 13. Attacker Initial Kernel Malware – Rustock, TDSS, ZeroAccess Defender First Kernel Defenses – Patchguard and Driver Signature Enforcement (DSE) Defender Countering Bootkits – SecureBoot, Trusted Boot, Boot Guard, etc. Defender Virtualization Based Security (VBS) Attacker BootKit Malware – Sinowal, TDL4, Xpaj Attacker Exploit To Load Driver – Uroburos, Duqu2, DoublePulsar EVOLUTION
  • 14. KERNEL MITIGATIONS ACROSS WINDOWS VERSIONS EVOLUTION
  • 15. Adoption Rate Windows 10 is less than half of worldwide installations. How many are HVCI? EVOLUTION
  • 16. AGENDA PART 1 Evolution of kernel mode threats and platform protections PART 2 Offensive tradecraft to evade platform protections PART 3 Augmenting OS defenses
  • 17. INTERNAL RvB FILELESS KERNEL MODE IMPLANT • Evade Blue Team by moving to the kernel • Kernel dev environment • VS 2015, Windows Driver Kit (WDK) 10 • Virtual KD / Windbg • Turla Driver Loader (TDL) EVASION
  • 18. IMPLANT DESIGN • Kernel mode ONLY • Winsock Kernel (WSK) for C2 • Triggerable (no beacons) • Basic backdoor functionality EVASION
  • 19. Confidential and Proprietary 19 IMPLANT LOADER Script .NET Native Squiblydoo XSL / Jscript PowerShell DotNetToJS .NET MemoryModule TDL / Exploit EVASION
  • 20. STAYING DISKLESS NETWORK DRIVER LOAD • Avoid dropping driver to disk by loading it with WebDAV: • ZwLoadDriver(DeviceWebDavRedirector;[email protected]) • Sysmon path conversion bug EVASION
  • 24. • Virtual box driver vulnerability is a no-go, won't even load under HVCI • Step one was to find a vulnerable driver which could load under HVCI. www.greyhathacker.net has tons of POCs (Parvez Anwar) • BYOV – Bring your own vulnerability. Choose wisely! • Static 1-byte write vs • Write *what where EVADING VBS / HVCI EVASION
  • 25. • Modification of kernel memory can significantly compromise the integrity of the system • IAT patching • Even if IAT was protected by VBS, there are many other targets • Disable EDR kernel-user communications • Disable security focused kernel ETW providers • Microsoft-Windows-Threat-Intelligence • Elevate Privileges – Token or Handle • Data / Data Corruption EVADING VBS / HVCI DATA DRIVEN ATTACKS EVASION
  • 29. • Create a "surrogate" thread, put it to sleep • Find location of stack [_ETHREAD] • Build rop chain • Hook stack -> overwrite NtWaitForSingleObject pointer with pivot gadget • Resume thread (ReleaseMutex) EVADING VBS / HVCI CODE RE-USE EVASION
  • 30. • Dynamically build chain based on number of arguments in target function • We have 10 gadgets for full N-Argument function call • Pivot (pop rsp, ret) • Restore the 16 bytes overwritten on the stack • Setup arguments in registers/stack • Call target function • Save return value (rax) • Restore R14 (mutex object) • Unpivot EVADING VBS / HVCI CODE RE-USE EVASION
  • 33. AGENDA PART 3 Augmenting OS defenses PART 1 Evolution of kernel mode threats and platform protections PART 2 Offensive tradecraft to evade platform protections
  • 34. • You should very carefully monitor driver load events • Look for low prevalence drivers • Identify known-exploited drivers (blacklist) • Free Instrumentation: • Sysmon Event ID 6: Driver loaded • Windows Defender Application Control (DG) Audit Mode DRIVER EVENTING EVOLUTION DEFENSES
  • 35. • Limit kernel drivers to WHQL REDUCING ATTACK SURFACE EVOLUTION DEFENSES
  • 36. • Blacklisting Exploitable Drivers • Default in Win10 RS5 HVCI • Endgame Kernel Attack Surface Reduction (KASR) • No configuration required • Free. Available at www.endgame.com REDUCING ATTACK SURFACE EVOLUTION DEFENSES
  • 37. Full memory acquisition and offline analysis does not scale Problem Leverage the same techniques to read kernel memory at the endpoint and perform analysis on the endpoint • DevicePhysicalMemory • MmMapIoSpace • MmMapMemoryDumpMdl • Page Table Entry (PTE) Remapping Solution EVOLUTIN DEFENSES KERNEL MEMORY COLLECTION
  • 38. • Page Table Entry (PTE) remapping • Invented by Stüttgen and Cohen • Most performant in testing • More resilient to tampering from rootkits (No API to hook) • Based on CPU architecture, so it is cross-OS-compatible • Modify the PTE of a controlled chunk of memory to point to where you want to read KERNEL MEMORY COLLECTION EVOLUTION DEFENSES
  • 39. • Generically detect function pointer hook • Locate function pointers by walking relocation tables • Endgame Marta • Free. Available at www.endgame.com FUNCTION POINTER INTEGRITY SCAN Originally pointed to +X section in on- disk copy of driver Does not point to a loaded driver in memory Points to executable memory Consider a hit if… EVOLUTION DEFENSES
  • 40. Performance Monitoring Unit (PMU) • Built into most CPUs in the last decade • Programmable to count specific events • Can generate an interrupt when a certain number of events occur Detect unbacked kernel shellcode / unbacked drivers • Program PMU to fire interrupts on some event likely to occur inside unbacked driver. • When interrupt fires, validate IP belongs to a driver REALTIME DETECTION OF UNBACKED KERNEL CODE DEFENSES
  • 42. Weaknesses • FP from unbacked drivers (including PatchGuard) • Vulnerable to PMU disablement via MSR • Detection driver is susceptible to data attacks EVOLUTION DEFENSES REALTIME DETECTION OF UNBACKED KERNEL CODE
  • 43. • MemoryMon • Leverage EPT to detected unbacked kernel code execution • AllMemPro • Mitigates data attacks by isolating driver data with hypervisor • Based on same platform as MemoryMon • SecVisor • CMU research from 2007 • Early implementation of hypervisor enforced code integrity HYPERVISOR APPROACHES EVOLUTION DEFENSES
  • 44. HARDENING THE WINDOWS KERNEL AGAINST ROP EVOLUTION DEFENSES
  • 45. • CFG provides forward-edge CFI, but there is no reverse-edge CFI • RFG was cancelled • Intel CET requires future hardware HARDENING THE WINDOWS KERNEL AGAINST ROP IDEA Provide reverse-edge kernel CFI using the PMU EVOLUTION DEFENSES
  • 46. ROP tends to generate lots of mispredictions • Scan drivers to identify call/return sites • Configure LBR to record CPL0 near returns • Configure PMU fire PMI when BR_MISP_RETIRED counter overflows • Validate every new LBR entry is call-preceded Performance • Protection tunable from deterministic to probabilistic • JetStream benchmark on Intel Skylake 6700K: ~1.1% overhead EVOLUTION DEFENSES HARDENING THE WINDOWS KERNEL AGAINST ROP
  • 48. • Limitations • Vulnerable to malicious drivers. Hypervisor protection needed. • wrmsr IA32_PERF_GLOBAL_CTRL, 0 • Data attack against policy bitmap • Requires available PMU and LBR • No VMware/Hyper-V support • Incompatible with obfuscated drivers • Windows ships with two: clipsp.sys and peauth.sys • Something similar exists on Linux EVOLUTION DEFENSES HARDENING THE WINDOWS KERNEL AGAINST ROP
  • 49. • Windows platform security has gotten much better in the last decade. However, kernel mode threats are still a big concern • Use Windows 10 with SecureBoot and HVCI • Require EV/WHQL drivers via code integrity policy • Monitor and hunt on driver load events CONCLUSION
  • 51. • https://www.virusbulletin.com/virusbulletin/2008/08/yet-another-rustock-analysis • https://securelist.com/rustock-and-all-that/36217/ • https://securelist.com/tdss/36314/ • https://people.eecs.berkeley.edu/~pearce/papers/zeroaccess_tr_2013.pdf • https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-zeroaccess-infection-analysis-12-en.pdf • https://nakedsecurity.sophos.com/zeroaccess/ • https://msdn.microsoft.com/en-us/library/bb530195.aspx • https://securelist.com/tdss-tdl-4/36339/ • https://www.coseinc.com/en/index.php?rt=download&act=publication&file=TDL4_Carrier_to_Glupteba.pdf • https://resources.infosecinstitute.com/uefi-and-tpm/ • http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf • https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf • https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf • https://www.sekoia.fr/blog/windows-driver-signing-bypass-by-derusbi/ EVOLUTION REFERENCES REFERENCES
  • 52. • https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf • https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205202/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf • https://securelist.com/the-duqu-2-0-persistence-module/70641/ • https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html • http://www.alex-ionescu.com/blackhat2015.pdf • http://gs.statcounter.com/windows-version-market-share/desktop/worldwide/ • https://github.com/hfiref0x/TDL • http://www.greyhathacker.net • https://posts.specterops.io/threat-detection-using-windows-defender-application-control-device-guard-in-audit-mode-602b48cd1c11 • https://www.dfrws.org/sites/default/files/session-files/pres-anti-forensic_resilient_memory_acquisition.pdf • https://www.cs.cmu.edu/~arvinds/pubs/secvisor.pdf • https://github.com/tandasat/MemoryMon • https://igorkorkin.blogspot.com/2018/03/hypervisor-based-active-data-protection.html • https://infocon.org/cons/SyScan/SyScan%202013%20Singapore/SyScan%202013%20Singapore%20presentations/SyScan2013_DAY1_SPEAKER05_Georg_WIcherski_Taming_ROP _ON_SANDY_BRIDGE_syscan.pdf • https://recon.cx/2015/slides/recon2015-05-peter-hlavaty-jihui-lu-This-Time-Font-hunt-you-down-in-4-bytes.pdf EVOLUTION REFERENCES REFERENCES