Jump to content

NetworkBear

Members
 View Profile  See their activity

  • Posts

    4

  • Joined

  • Last visited

Kudos

  1. Upvote
    NetworkBear
    NetworkBear gave kudos to itman in Possible FP with Intel driver?   
    I'm going to give Eset a "pass mark" on its vulnerable driver detection upon any process access attempt. Here's why.
    I went back and reviewed the KUD article. Of note, the screen shots showing the actual exploit in action. I noticed that the provider driver being used was RTCore64.sys and it was being loaded "on the fly." This driver is the vulnerable MSI Afterburner utility driver exploited in a number of BlackByte ransomware attacks.
    Now let's simulate use of the vulnerable MSI driver being dropped on a target device and being loaded "on the fly" w/o KDU use. I found the vulnerable driver here: https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/ which includes instructions on how to load the driver "on the fly." The first thing to note is what is downloaded is a .bin file. It is not detected by Eset upon download. Nor is it detected by anyone at VT except Dr. Web and Elastic. Assume that those detection's are by hash.
    Upon access of the .bin file via Win Explorer to check its Properties, the file was loaded in memory and Eset detected it:
    Again, the known vulnerable driver exploits presently do not work with HVCI - Memory integrity enabled. But detecting the vulnerable driver on the disk will prevent any future unknown driver exploits from succeeding.
  2. Upvote
    NetworkBear
    NetworkBear gave kudos to itman in Possible FP with Intel driver?   
    I believe this needs to be said. Do you really need to rely on Eset vulnerable driver protection?
    In Win 10 with HVCI - Memory integrity enabled, it will block any attempted loaded driver code modification. Likewise in Win 11, the same is enabled in addition to the Vulnerable Driver Blocklist setting enabled in the same section.
    https://www.elevenforum.com/t/enable-or-disable-microsoft-vulnerable-driver-blocklist-in-windows-11.10031/
    Refs.: https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/strategies-to-monitor-and-prevent-vulnerable-driver-attacks/ba-p/4103985
    https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
  3. Upvote
    NetworkBear
    NetworkBear gave kudos to Marcos in Possible FP with Intel driver?   
    We've added a detection on May 6th.
    https://github.com/hfiref0x/KDU
    Id Vendor Driver Software package Version 52 Intel PmxDrv Intel(R) Management Engine Tools Driver 1.0.0.1003 and below
×
×
  • Create New...