In a coordinated disclosure with Microsoft on December 13th, 2022, security researchers with Mandiant, SentinelOne, and Sophos published evidence of a threat actor technique where malicious crafted drivers were invoked using a valid cryptographic signature. The malicious drivers were observed attempting to terminate a list of security products and evade detection. These drivers were invoked as post-exploitation actions taken by several groups, including defense evasion techniques used by ransomware threat actors.
As part of the coordinated disclosure, Microsoft released an advisory on these techniques, stating that several developer accounts had been abused for the purpose of signing malicious code, and that they had subsequently revoked those certificates. They stated that Microsoft Defender 1.377.987.0 was released with detections that block use of legitimately signed drivers known to have been used for malicious purposes.
It is important to note that the malicious activities invoked by these signed drivers took place post-exploitation, and do not represent a new initial access vector. This research emphasizes the need for detection of known ransomware behaviors and other malicious activities rather than relying solely on trust outsourced to cryptographic certificate authorities.
Using closed and open threat intelligence, Arctic Wolf Labs works continuously to implement new detections for malicious behaviors with our services.
Recommendation
Recommendation #1: Apply Windows Updates
As part of your organization’s regular patching cycle, apply the latest Windows Updates to apply the latest fixes from the December 13th update for Microsoft Defender. This will provide protection against drivers that are known to have been involved in malicious activity, as reported in the coordinated disclosure described in this bulletin.
