Detect and Block Execution of Vulnerable Drivers (CM0058)

In Playbook

Details

  • ID: CM0058
  • Version: 1.0
  • Created: 14 March 2025
  • Modified: 14 March 2025
  • Type: Examine, Disable
  • Status: Active

Intended Outcome

Detecting and blocking the execution of vulnerable drivers prevents and/or detects adversaries attempting to use vulnerable drivers to evade defenses and escalate privileges.

Introduction

Drivers are software that act as intermediaries between the operating system and the underlying hardware. In essence, a driver solves compatibility issues between hardware and software. Adversaries abuse vulnerable drivers using a technique known as Bring Your Own Vulnerable Driver (BYOVD). In this attack an adversary delivers and installs a vulnerable driver on to the target system and exploits the vulnerability to execute code in kernel mode. Adversaries in the past or targeting older platforms would load unsigned drivers for exploitation. Due to Windows Driver Signature Enforcement (DSE), only signed kernel drivers can be loaded. Therefore, adversaries will load and exploit vulnerable signed drivers and then load unsigned malicious drivers. Microsoft's attack surface reduction (ASR) tool, Intune, can be configured to prevent installation of vulnerable signed drivers.

Preparation

  • Consult documentation and SMEs regarding needed drivers.

Risks

  • Blocking vulnerable drivers can result in operational disruption if hardware that is no longer supported is in use.
  • Applications with embedded device drivers will break or lose functionality. Check vendor to see is a solution for decoupling an application from the embedded driver with a more secure version.
  • Blocking vulnerable device drivers can cause Windows to produce a "Blue Screen of Death" error.

Guidance

Detection of vulnerable or malicious drivers

  • Monitor driver loads through event logs.
      • Sysmon event id 6 records driver loads.
    • Monitoring Services
      • Command line monitoring (sc.exe query)
      • Reg modifications to HKLM\SYSTEM\CurrentControlset\Services
      • Manual inspection using Windows Device Manager (devmgmt.msc)
    • Alert to security processes terminated by drivers
    • Audits using specialized software, driver queries, or manual inspection and comparing active driver list to a whitelist or blacklist of drivers.

Blocking execution or loading of vulnerable or malicious drivers

To address the challenge of adversaries loading signed drivers, the certificate of known vulnerable or malicious drivers should be in a revocation list. Microsoft provides tools which can be enabled or configured to prevent abuse of vulnerable drivers which will be covered in this guidance section.
Enable/Verify Microsoft's vulnerable driver blocklist
Microsoft's vulnerable driver blocklist is a native utility for Windows 11 2022 and above that receives updates 1-2 times per year for the block list. Vulnerable driver blocklist is enforced when Hypervisor-protected coded integrity or HVCI, Smart App Control, or S mode is active. Navigate to the Windows Security App -> Click Device Security -> Core Isolation -> Toggle switch on for Microsoft Vulnerable Driver Blocklist if off.
Windows Defender Application Control (WDAC)
For devices where HVCI or S mode is not available, Microsoft offers a recommended block list that can be added to Windows Defender Application Control policy. To view and download list, search for Microsoft's driver block list. It is also recommended to test the policy in audit mode and review the audit block events to mitigate implementation risks.

References

  • ID: CM0058
  • Version: 1.0
  • Created: 13 March 2025
  • Modified: 13 March 2025
  • Type: Examine, Disable