In a coordinated disclosure with Microsoft on 13 December 2022, security researchers with Mandiant, SentinelOne, and Sophos published evidence of a threat actor technique where malicious crafted drivers were invoked using a valid cryptographic signature. The malicious drivers were observed attempting to terminate a list of security products and evade detection. These drivers were invoked as post-exploitation actions taken by several groups, including defense evasion techniques used by ransomware threat actors.
As part of the coordinated disclosure, Microsoft released an advisory on these techniques, stating that several developer accounts had been abused for the purpose of signing malicious code, and that they had subsequently revoked those certificates. They stated that Microsoft Defender 1.377.987.0 was released with detections that block use of legitimately signed drivers known to have been used for malicious purposes.
It is important to note that the malicious activities invoked by these signed drivers took place post-exploitation, and do not represent a new initial access vector. This research emphasises the need for detection of known ransomware behaviors and other malicious activities rather than relying solely on trust outsourced to cryptographic certificate authorities.
Using closed and open threat intelligence, Arctic Wolf Labs works continuously to implement new detections for malicious behaviors with our services.
Recommendation #1: Apply Windows Updates
As part of your organisation’s regular patching cycle, apply the latest Windows Updates to apply the latest fixes from the 13 December update for Microsoft Defender. This will provide protection against drivers that are known to have been involved in malicious activity, as reported in the coordinated disclosure described in this bulletin.