Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some of these drivers are on 馃敟 #77

Closed
HotCakeX opened this issue May 10, 2023 · 1 comment
Closed

Some of these drivers are on 馃敟 #77

HotCakeX opened this issue May 10, 2023 · 1 comment

Comments

@HotCakeX
Copy link

Hi,
I was introduced to this project yesterday and began some tests to see how they perform against Windows Defender Application Control policies and Microsoft Defender, here are my findings:

Part 1: Malicious files

One of the main problems is using the phrase Living Off The Land, which are supposed to be legitimate non-malicious files that can be misused to circumvent security solutions, but what I'm seeing is straight up malware that Microsoft Defender already detects and blocks.

So, to prevent redundancy, I suggest removing those files from the driver package and instead let default security solution take care of them.
For the rest of the files, there is automatic sample submission and the global MAPS and ISG networks that get notified about these files every time they are run.

Part 2: Non-Malicious files

These are another story. I couldn't find a clear reason for each file as to why it's labeled as LOLDriver.

The questions I'd have in mind (and most likely businesses/enterprises too) about each file is:

  • What role does it play in circumventing security measures?
  • Does it help bypass WDAC? (If so, it should be reported to Microsoft as well to be added to the official recommended block rules)
  • Is there a PoC for it bypassing security measures?
  • Does Smart App Control (that uses Intelligent Secure Graph) block them?
  • Are some of these drivers also included in Microsoft recommended driver block rules? (to prevent duplication when merging with a WDAC policy)

Microsoft Defender results after running all of the driver files, these are the ones I was referring to that are redundant:

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 27
DidThreatExecute : False
IsActive         : True
Resources        : 
RollupStatus     : 1
SchemaVersion    : 1.0.0.0
SeverityID       : 1
ThreatID         : 226944
ThreatName       : PUA:Win32/Kuping
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 27
DidThreatExecute : False
IsActive         : True
Resources        : 
RollupStatus     : 1
SchemaVersion    : 1.0.0.0
SeverityID       : 1
ThreatID         : 227008
ThreatName       : PUA:Win32/GameBox
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 27
DidThreatExecute : False
IsActive         : True
Resources        : 
RollupStatus     : 1
SchemaVersion    : 1.0.0.0
SeverityID       : 1
ThreatID         : 242420
ThreatName       : PUA:Win32/Presenoker
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 27
DidThreatExecute : False
IsActive         : True
Resources        : 
RollupStatus     : 1
SchemaVersion    : 1.0.0.0
SeverityID       : 1
ThreatID         : 311991
ThreatName       : PUADlManager:Win32/InstallCore
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 34
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147635777
ThreatName       : VirTool:WinNT/Rootkitdrv.HK
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 34
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147668298
ThreatName       : VirTool:WinNT/Exforel.A
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147722997
ThreatName       : Trojan:Win32/Ditertag.A
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 34
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 4
ThreatID         : 2147723443
ThreatName       : HackTool:Win64/CapRoot.A
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147735505
ThreatName       : Trojan:Win32/Wacatac.B!ml
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147750647
ThreatName       : Trojan:Win32/RootkitDrv!MSR
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147753900
ThreatName       : Trojan:Win32/Rootkit!MSR
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 97
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147754624
ThreatName       : Trojan:Win32/Tnega!MSR
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147762521
ThreatName       : Trojan:Win64/Tnega!MSR
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 97
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147805432
ThreatName       : Trojan:Win64/RootkitDrv!MSR
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147805996
ThreatName       : Trojan:Win64/Rootkit!MSR
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 97
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147814523
ThreatName       : Trojan:Win32/Wacatac.H!ml
TypeID           : 0

RunspaceId       : bca4d8af-c8df-4bf6-b486-9cfc82918041
CategoryID       : 8
DidThreatExecute : True
IsActive         : False
Resources        : 
RollupStatus     : 65
SchemaVersion    : 1.0.0.0
SeverityID       : 5
ThreatID         : 2147842086
ThreatName       : Trojan:Win64/BlackLotus!MSR
TypeID           : 0

The following drivers are blocked when Default Windows WDAC policy is deployed, A total of 431 drivers:

Download file: 馃憞馃憞

Blocked by Default Windows Policy.md

The script i used to automate the tests

Execution

$i = 0
(Get-ChildItem "C:\Users\Admin\Desktop\drivers").FullName | ForEach-Object {
New-Service -BinaryPathName $_ -Name "DriverTest$i" -Description $_ -StartupType Manual
Start-Service -Name "DriverTest$i" -ErrorAction SilentlyContinue
$i++
}

Increase Code Integrity Operational log size

$logName = 'Microsoft-Windows-CodeIntegrity/Operational'
$log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logName
$log.MaximumSizeInBytes = '50000000'
$log.IsEnabled = $true
$log.SaveChanges()

Logs gathering

$ScriptBlock = {
# Event Viewer Code Integrity logs scan
foreach ($event in Get-WinEvent -FilterHashtable @{LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; ID = 3077 } -ErrorAction SilentlyContinue ) {
    $xml = [xml]$event.toxml()
    $xml.event.eventdata.data | ForEach-Object { $hash = @{} } { $hash[$_.name] = $_.'#text' } { [pscustomobject]$hash } |
    Select-Object -Property 'SHA256 Hash' , 'File Name', 'OriginalFileName', 'ProductName', 'InternalName', 'FileDescription', 'FileVersion', 'SHA1 Hash', 'USN'
}        
}
$Results = Invoke-Command -ScriptBlock $ScriptBlock
$Results
$Results | clip
Write-Host "A total of $($results.count) drivers have been blocked"
@MHaggis
Copy link
Contributor

MHaggis commented Jun 28, 2023

Thank you for this @HotCakeX ! I'm going to close this, but that does not mean it is irrelevant. Really appreciate the share.

@MHaggis MHaggis closed this as completed Jun 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MHaggis @HotCakeX