Chasing the Silver Fox Cat & Mouse in Kernel Shadows

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/
• Blog Title: Chasing the Silver Fox: Cat & Mouse in Kernel Shadows
• Suggested Section: Windows -> Privilege Escalation & EDR Evasion -> BYOVD (Vulnerable Signed Drivers)

🎯 Content Summary

Silver Fox APT BYOVD Campaign: Technical Summary and Analysis

Check Point Research details an in-the-wild Silver Fox APT campaign abusing signed-but-vulnerable Windows kernel drivers to kill EDR/AV, optionally escalate locally, and deploy ValleyRAT (aka Winos). The operation uses a dual-driver bring-your-own-vulnerable-driver (BYOVD) strategy inside a single all-in-one loader to support both legacy and modern Windows.

<...

🔧 Technical Details

BYOVD EDR/AV kill via Zemana‑based drivers: Load a signed vulnerable driver (e.g., WatchDog amsdk.sys v1.0.600 or legacy ZAM.exe). Because FILE_DEVICE_SECURE_OPEN is missing (amsdk.sys), open the device via its namespace (\\.\amsdk\anyfile). Register the caller with IOCTL 0x80002010, then terminate any target (even PP/PPL) using IOCTL 0x80002048. This reliably disables security tools on modern Windows where the driver is trusted.

<...

🤖 Agent Actions

I analyzed the Check Point Research post and updated HackTricks with the applicable, technical BYOVD and LPE techniques. No new files were needed; I integrated the new material into the most relevant existing pages, preserving structure and style.

What I added

1. Windows -> AV/EDR Evasion: BYOVD

• File updated: src/windows-hardening/av-bypass.md
• Where: New subsection under Bring Your Own Vulnerable Driver (BYOVD) – Killing AV/EDR From Kernel Space
• Content:
  • Detailed case study of WatchDog Anti‑Malware amsdk.sys v1.0.600 (Zemana SDK lineage) including:
    • Root cause: missing FILE_DEVICE_SECURE_OPEN causing device namespace bypass (open .\amsdk\anyfile by non-admin).
    • IOCTLs for EDR/AV kill and LPE: 0x80002010 (register), 0x80002048 (terminate process, including PP/PPL), 0x8...

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts

The searchindex.js file is automatically generated and should not be included in manual commits.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://research.checkpoint.com/2025/silver-fox-apt-vulnerable-drivers/

Content Categories: Based on the analysis, this content was categorized under "Windows -> Privilege Escalation & EDR Evasion -> BYOVD (Vulnerable Signed Drivers)".

Repository Maintenance:

• MD Files Formatting: 877 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge