Security researcher Antonio Parata, Researcher at CrowdStrike exposes the exploitation of a signed Minifilter Driver in a demonstration of the Bring Your Own Vulnerable Driver (BYOVD) technique. This technique utilizes a vulnerable driver to achieve specific goals, and it has gained traction among attackers seeking to terminate processes associated with security solutions like Endpoint Detection and Response (EDR). Paganini highlights the increasing attention on BYOVD, as attackers find it more strategic to terminate EDR processes than relying on obfuscation techniques. The researcher analyzes a signed minifilter driver, identified as probmon.sys, capable of creating a program within the kernel to terminate a specific process.
The vulnerable driver initiates the BYOVD attack by calling the FltRegisterFilter function to register the filter and creating a communication port using FltCreate Communication Port. The research delves into the technical intricacies, including the use of ZwTerminateProcess function and the necessary preconditions for process termination. Paganini emphasizes the potential misuse of such drivers for malicious purposes and underscores the importance of understanding and addressing vulnerabilities in signed drivers.
To further illustrate the exploit, Paganini provides the source code on GitHub (https://github.com/enkomio/s4killer). It’s worth noting that the driver is registered with the flag FLTFL_REGISTRATION_DO_NOT_SUPPORT_SERVICE_STOP, indicating that the minifilter is not unloaded in response to service stop requests. Additionally, attempts to unload the driver with fltmc result in the code STATUS_FLT_DO_NOT_DETACH, requiring a machine reboot for unloading.
