Using drivers for kernel operations during a Red Team operation
2019-11-09, 12:00–12:25 (US/Pacific), Red Day

During real world attacks and red team engagements using vulnerable drivers to read, write, and allocate is a powerful tool. This talk will cover how to a) load a vulnerable driver in Windows via code samples and b) use said vulnerable driver to perform some basic actions (read lsass, turn off a service) that a threat actor might do.

Using drivers as part of your kill chain is something that is sometimes risky, dangerous, and requires a decent amount of knowledge as not to break things on the system. However, when done properly this allows an attacker broad control over the infected system and the ability to bypass or attack defensive software installed at ease.

This talk will show code samples (to be made available on github) of how to load a vulnerable or malicious driver in Windows and then utilize that driver for basic operations, such as start or stop a process, and read memory of potentially a protected process. Due to the way security boundaries work on Windows, performing certain actions with a driver almost always is indefensible as the kernel boundary is not as segregated as user land. Knowing when to load a driver and what steps are required for loading one (and what telemetry is generated and how to potentially avoid it) is a useful tool in any Red Team’s pocket.

I am a senior security engineer on a Microsoft internal Red Team. I spend my days hacking Microsoft, writing software, and generally trying to not get fired while enjoying my job.

This speaker also appears in: