A Closer Look at Windows Kernel Threats
In this blog entry, we discuss the reasons why malicious actors choose to and opt not to pursue kernel-level access in their attacks. It also provides an overview of kernel-level threats that have been publicly reported from April 2015 to October 2022.
Save to Folio
Windows kernel threats have long been favoured by malicious actors because it can allow them to obtain high-privileged access and detection evasion capabilities. These hard-to-banish threats are still crucial components in malicious campaigns’ kill chains to this day. In fact, SentinelOne recently discovered malicious actors abusing Microsoft-signed drivers in targeted attacks against organisations in the telecommunication, business process outsourcing (BPO), managed security service provider (MSSP), and financial services industries. This month, SophosLabs also reported their discovery of a cryptographically signed Windows driver and an executable loader application that terminates endpoint security processes and services on targeted machines.
In this blog entry, we discuss the reasons why malicious actors choose to and opt not to pursue kernel-level access in their attacks. It also provides an overview of kernel-level threats that have been publicly reported from April 2015 to October 2022. We provide a more comprehensive analysis of the state of noteworthy Windows kernel threats in our research paper, “An In-depth Look at Windows Kernel Threats,” that we will be publishing in January 2023.
The pros and cons of pursuing kernel-level access
For malicious actors, gaining unfettered access to the kernel is optimal for their attacks. Not only will they be able to execute malicious code at the kernel level, but they will also be able to impair their victims’ security defences to remain undetected. However, it’s important to note that there are also downsides to developing kernel-level rootkits and other low-level threats.
- Gaining very high-privileged access to system resources
- Hiding malicious activity on devices and making detection and response activities more difficult
- Protecting malicious artefacts from normal system filtering processes
- Executing stealth operations that can bypass detection for extended periods
- Gaining inherited trust from third-party antivirus products
- Tampering with core services’ data flow that multiple user-mode applications depend on
- Tampering with third-party security products that hinder malicious activity
- Achieving a very low detection rate. According to intelligence reports, most modern rootkits remain undetected for a long period.
- Developing these threats can be expensive.
- Developing and implementing kernel rootkits are more difficult compared to other user-mode application malware types, which does not make them the ideal threat for most attacks.
- The development of kernel rootkits involves highly qualified kernel-mode developers who understand the targeted operating system’s internal components and have a sufficient level of competence when it comes to reverse engineering system components.
- Since kernel rootkits are more sensitive to errors, they might reveal the whole operation if it crashed the system and triggered the blue screen of death (BSOD) due to code bugs in the kernel module.
- Introducing a kernel-mode component will complicate the attack more than it will support it if the victim’s security mechanisms are already ineffective or can be taken down via a simpler technique.
How widespread are kernel threats?
We analysed in-the-wild threats that either completely rely on a kernel driver component or have at least one module in their attack chain that executes in the kernel space. These kernel-level threats were reported between April 2015 and October 2022 and do not include proofs of concept. The full analysis of collected kernel-level threat data can be found in our research paper, “An In-depth Look at Windows Kernel Threats.”
In our research, we categorised kernel-level threats into three clusters based on observable techniques:
Cluster 1: Threats that bypass kernel mode code signing (KMCS) policy
Cluster 2: Threats that comply with KMCS using legitimate create-your-own-driver techniques
Cluster 3: Threats that shift to a lower abstraction layer
We delve deeper into and provide real-world examples of these clusters on our landing page that we will also be publishing in January 2023.
Based on our observation, the number of noteworthy threats and other major events that have been publicly reported in the last seven years show a steady upward trend from 2018 onwards.
Currently, the greatest number of kernel threats that affect the Windows kernel still belong in the first cluster. The number of threats in this cluster is expected to rise until the adoption rate for the new hypervisor-based defence solutions introduced with Windows 10 increases. As adoption rates grow, the number of first-cluster threats is expected to significantly decrease.
However, data shows that the number of threats belonging in the second and third clusters have been increasing in the past three years.
Second cluster threats are less common due to the higher development cost. And despite the increase in the number of second cluster threats for the past five years, it is expected to decrease and eventually cease because of the KMCS policy in Windows 10 and 11. Meanwhile, threats that belong in the third cluster are the least common ones because of their complexity. We believe that third cluster threats will slowly increase in the coming years as malicious actors shift their initial infection points earlier into the process to evade modern security mechanisms.
We have also categorised these threats based on their specific use cases.
Based on our analysis, APT espionage malware used kernel-level components the most in their attacks. APT groups are known for having the resources to use stealthy components such as kernel rootkits and lower level implants in their attacks.
Ransomware and cryptocurrency-mining threats also used a notable number of kernel-level components in their attacks, which is likely to avoid being detected by security products as they drop their malicious payloads and steal resources from victim machines.
Based on our analysis of kernel-level threat data, advanced and mature malicious actors are still and will continue to seek high-privilege access to the Windows operating system to ensure that their attacks are successfully deployed. Because of the efficacy of endpoint protection platform (EPP) and endpoint detection and response (EDR) technologies, attackers will follow the path of least resistance and get their malicious code running from the kernel or on a lower level. This is why, despite a significant reduction of some of the kernel-level threats belonging to the three clusters, we believe that low-level threats will not become completely obsolete in the future.
Read the full analysis of Windows kernel threats in our research paper, “An In-depth Look at Windows Kernel Threats,” which will be released in January 2023.