Abstract
Device drivers play an essential role in operating systems; therefore, they are always on the target of bug hunters. Many vulnerabilities have been reported for decades, and the number of new ones is increasing every year. Although the drivers would be patched in the newer version, the older ones are still benign programs with signed digital signatures trusted by antivirus software. Cyber adversaries can use the unsafe version of drivers to perform malicious actions. This study demonstrates how to use an old version from 2012 of the Intel Network Adapter Diagnostic Driver for Windows OS credential dumping. We successfully collect credentials in the memory without any notification from the antivirus programs. By evading almost all the current security products with an aged driver, our results raise awareness for the potential threat from vulnerable drivers and the call for mechanisms to counter this attack technique.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Driver Signing, Microsoft Documentation. Accessed 08 Aug 2021
CVE-2021–21551- Hundreds of Millions of Dell Computers at Risk due to Multiple BIOS Driver Privilege Escalation Flaws, SentinelLabs (2021)
CVE-2008–3431. https://nvd.nist.gov/vuln/detail/CVE-2008-3431, Accessed 08 Aug 2021
Digging up InvisiMole’s Hidden Arsenal, WeLiveSecurity by ESET (2020)
The Slingshot APT FAQ, Securelist by Kaspersky (2018)
Blaauwendraad, B., Ouddeken, T., Van Bockhaven, C.: Using Mimikatz’ Driver, Mimidrv, to Disable Windows Defender in Windows (2020)
Karantzas, G., Patsakis, C.: An empirical assessment of endpoint detection and response systems against advanced persistent threats attack vectors. J. Cybersecur. Priv. 1(3), 387–421 (2021)
_xeroxz: VDM - Vulnerable Driver Manipulation. https://back.engineering/01/11/2020, Accessed 08 Aug 2021
_xeroxz: The Physmeme Open-Source Project. https://githacks.org/_xeroxz/physmeme, Accessed 08 Aug 2021
KDMapper Project. https://github.com/TheCruZ/kdmapper, Accessed 08 Aug 2021
VinCSS Threat Hunting Team, How Playing CS: GO Helped You Bypass Security Products. https://blog.vincss.net/2021/08/ex007-how-playing-cs-go-helped-you-bypass-security-products.html, Accessed 08 Aug 2021
Alshamrani, A., Myneni, S., Chowdhary, A., Huang, D.: A survey on advanced persistent threats: techniques, solutions, challenges, and research opportunities. IEEE Commun. Surv. Tutor. 21(2), 1851–1877 (2019)
Ussath, M., Jaeger, D., Cheng, F., Meinel, C.: Advanced persistent threats: behind the scenes. In: CISS 2016 Conference, pp. 181–186. IEEE (2016)
CVE-2019–16098. https://nvd.nist.gov/vuln/detail/CVE-2019-16098, Accessed 08 Aug 2021
CVE-2015–2291. https://nvd.nist.gov/vuln/detail/CVE-2015-2291, Accessed 08 Aug 2021
Screwed Drivers – Signed, Sealed, Delivered. https://eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered, Accessed 08 Aug 2021
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Pham, HD., Nguyen, V.T., Tiep, M.V., Hien, V.T., Huy, P.P., Vuong, P.T. (2021). Evading Security Products for Credential Dumping Through Exploiting Vulnerable Driver in Windows Operating Systems. In: Dang, T.K., Küng, J., Chung, T.M., Takizawa, M. (eds) Future Data and Security Engineering. Big Data, Security and Privacy, Smart City and Industry 4.0 Applications. FDSE 2021. Communications in Computer and Information Science, vol 1500. Springer, Singapore. https://doi.org/10.1007/978-981-16-8062-5_36
Download citation
DOI: https://doi.org/10.1007/978-981-16-8062-5_36
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-16-8061-8
Online ISBN: 978-981-16-8062-5
eBook Packages: Computer ScienceComputer Science (R0)