At the heart of the Windows operating system and the lower levels of the software stack lies the kernel, a component that performs critical services and serves as the intermediary between a user’s input and the machine’s applications and hardware. The Windows kernel provides the basic functionality that all other services and processes in the operating system need to function, making it a vital part of computer operations.
Unfortunately, most security products today only secure and have visibility over the higher levels of the software stack. Because of this, malicious actors use rootkits and other threats to go after the kernel level to gain privileged access, install malicious components in infected systems, and fly under the radar for extended periods.
In this report, we examine how these low-level threats have evolved through the years and discuss the three types of low-level threats that affect Windows systems. The categorization of more than 60 of the most noteworthy low-level threats observed in the wild from 2015 to 2022, and where these threats stand in today’s threat landscape, are discussed in full in our research paper, “An In-depth Look at Windows Kernel Threats.”
New defense mechanisms in the Windows operating system have forced malware actors to adapt to the different abstraction layers to successfully create and carry out kernel-level attacks.
We discuss the state of Windows kernel threats before and after the introduction of the kernel mode code signing (KMCS) policy below:
Malicious actors were able to compile and load kernel-mode modules as part of their attack chains, regardless of their motive or technical capability.
The cost of getting kernel-level execution power was significantly lower.
The kernel space boundary was open to anyone who could compile a Windows kernel driver.
Malicious actors maintained a deep foothold in the kernel to subvert and manipulate system services, hook all kind of critical kernel objects, interfere with third-party antivirus engines, and corrupt system dispatch tables.
Windows shipped KMCS with Windows Vista 64-bit version systems after Windows developers assessed the damage caused by rootkits and other low-level malware types and the extent of their distribution.
Windows also included enhanced kernel patch-protection mechanisms such as Microsoft Key Provisioning Protocol (KPP), or PatchGuard.
Deploying kernel drivers for attacks became more costly for mid-level attackers.
These enhancements obligated hardware and software vendors to digitally sign their kernel drivers to control the quality of the code that runs in the address space of the kernel space.
The rootkit threat landscape changed dramatically during the KMCS era because of the following:
Higher development costs for loading kernel rootkits
Only a few malicious actors had the technical capabilities to include kernel rootkits in their malware arsenal
Malicious actors had new techniques for bypassing the security defenses Microsoft added to newer Windows versions
Figure 1 illustrates the state of kernel threats before the introduction of KMCS and after the first iteration of security enhancements were introduced.
The introduction of security mechanisms into newer Windows versions effectively reduced the volume of kernel rootkits and allowed security professionals to trace malicious code back to its authors. Because the KMCS policy hindered attackers from loading unsigned code into the kernel, they were forced to find other ways to bypass KMCS integrity checks.
After analyzing low-level threats discovered in the wild from April 2015 to October 2022, we were able to observe three main clusters of observable techniques. Each analyzed threat includes at least one kernel-level module that bypasses kernel-space access restrictions in their kill chains:
Threats that disable KMCS using legitimate built-in tools
Threats that abuse vulnerable drivers (bring your own vulnerable driver or BYOVD attacks)
Threats that abuse dual-usage drivers
Threats that target legacy systems
The threats in the first cluster use legitimate built-in tools that were mainly intended for debugging and testing to explicitly disable KMCS. These tools provide an interface for temporarily disabling driver verification and enabling test signing to verify the digital signature of the drivers. Inadvertently, these tools have stayed under the radar of monitoring systems.
These threats also use BYOVD, which involves piggybacking the intended kernel code through a vulnerable driver that can be legitimately loaded into a Windows system or a third-party kernel driver. A recent example of this technique was when ransomware actors abused a vulnerable anti-cheat driver for the role-playing game Genshin Impact to disable antivirus processes and services.
Threats that use stolen valid code-signing certificates
Threats that use acquired or purchased code-signing certificates
The threats in the second cluster comply with Microsoft’s signing requirements, which give them the flexibility to compile and sign the customized kernel drivers that are built for very specific tasks. This required malicious actors to either obtain a valid code-signing certificate by impersonating a legitimate entity and following Microsoft’s cross-signing certificate process (this was back when Microsoft still allowed cross-signing for kernel-mode code) or stealing someone else’s certificate.
The third cluster involves using a complex strategy of moving into a lower-level layer in the software stack and operating at a new abstraction layer. By doing so, it would be possible to load the malicious kernel code even before the full kernel and the core component that enforces the code-signing policy are initialized.
The techniques in this cluster later evolved from just infecting MBR/VBR/IPL entries in legacy BIOS-based boot processes to abusing firmware vulnerabilities, which are located one layer closer to the hardware.
As more modern security mechanisms are built into the Windows operating system, the threats that involve low-level components will continue to evolve. However, despite these security advancements, it still only takes one bypass to compromise the whole software stack. This is why it’s important to understand that built-in technologies are not enough to detect and thwart complex low-level threats.
Read our research paper, “An In-depth Look at Windows Kernel Threats,” to get a better understanding of how advanced malicious actors are adapting to the current defense mechanisms found in modern operating systems, how they are evolving their techniques, and what tools from underground marketplaces they use to abuse the Windows kernel.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).