Recent Posts
Archives

AI BEA CTO Cybersecurity DefCon32 Devoxx DevoxxBE2023 DevoxxBE2024 DevoxxFR DevoxxGR2025 DevoxxGreece2025 DevoxxPL2022 DevoxxPoland DevoxxUK2024 DevoxxUS2017 Docker Eclipse EJB GWT Hibernate IntelliJ IDEA Java Jetty JMS Jonathan Lalou JSF Kotlin Kubernetes Maven Maven 2 Microservices Mule Mule ESB Oracle OxidizeConf2024 Python recommendation RustLang Security Spring SQL Tomcat tutorial Weblogic Weblogic 10

Posts Tagged ‘DriverJack’

PostHeaderIcon [DefCon32] DriverJack: Turning NTFS and Emulated ROFs into an Infection

Author: Jonathan Lalou

Alessandro Magnosi, a security researcher at the British Standards Institute, unveils an innovative technique for loading malicious drivers on Windows 11 by exploiting NTFS features and emulated read-only filesystems (ROFs). His presentation at DEF CON 32 explores how advancements in Windows security, such as Driver Signature Enforcement (DSE) and Hypervisor-protected Code Integrity (HVCI), have pushed attackers to exploit new vulnerabilities. Alessandro’s work provides actionable detection strategies to counter these sophisticated threats.

Exploiting NTFS and ROFs

Alessandro introduces his DriverJack technique, which manipulates NTFS and emulated CDFS vulnerabilities to bypass modern Windows protections. By exploiting previously identified flaws in emulated filesystems, Alessandro demonstrates how attackers can covertly install malicious drivers. His approach, developed at the British Standards Institute, leverages these weaknesses to achieve persistence, evading detection mechanisms designed to thwart traditional malware deployment.

Bypassing Security Mechanisms

Delving deeper, Alessandro explains how DriverJack circumvents DSE and HVCI. He explores alternative malware delivery methods in usermode, integrating with tools like Kernel Driver Utility (KDU) and Canal Forge when HVCI is disabled. Alessandro highlights the challenges of exploiting modern CPUs, noting that outdated hardware exacerbates vulnerabilities, making timely updates critical for system security.

Detection and Mitigation Strategies

Alessandro provides practical Indicators of Compromise (IOCs), such as monitoring for privilege escalations to SYSTEM or TrustedInstaller, drive letter changes, and alterations in the NT object manager. He advocates for runtime hash verification of driver load events to detect discrepancies, ensuring robust defense against DriverJack. His publicly available proof-of-concept on GitHub empowers researchers to test and refine these countermeasures.

Strengthening System Defenses

Concluding, Alessandro urges organizations to prioritize hardware updates and implement cross-checks for driver integrity. His work underscores the evolving nature of cyber threats, encouraging the cybersecurity community to stay vigilant. By sharing DriverJack’s methodologies, Alessandro inspires proactive measures to safeguard Windows systems against emerging exploits.

Links:

Posted in en-US | Tags: , , , , , , | No Comments »
(c) 2008 Jonathan Lalou's Blog
All Rights Reserved.

Powered by WordPress and WordPress Theme | Host-euro.