Home windows’ Driver Signature Enforcement, the coverage requiring all kernel-mode drivers to be digitally signed by a trusted Certificates Authority (CA), doesn’t test certificates revocation lists at kernel load time. Researchers famous this to be a legacy conduct that is still exploitable due to backward compatibility options launched years in the past that permit an exception for drivers signed with certificates issued earlier than July 29, 2015, that chain to a supported cross-signed CA.
The EnCase driver accommodates a timestamp from a VeriSign service, which the authentication test nonetheless considers legitimate. “When code is signed with a timestamp, Home windows validates the signature towards the time the signature was created, not the present date,” the researchers famous. “As a result of the driving force was timestamped whereas the certificates was nonetheless legitimate (earlier than January 31, 2010), the signature stays legitimate indefinitely, though the certificates has since expired.”
As soon as within the kernel, the driving force exposes an IOCTL interface that lets the malware terminate arbitrary processes with full system privileges. Among the many performance uncovered are course of termination instructions that bypass user-mode safeguards for Protected Course of Gentle (PPL) processes, the defenses EDR programs rely upon to keep away from tampering.
