A Closer Look at Windows Kernel Threats

Windows kernel threats have long been favored by malicious actors because it can allow them to obtain high-privileged access and detection evasion capabilities. These hard-to-banish threats are still crucial components in malicious campaigns’ kill chains to this day. In fact, SentinelOne recently discovered malicious actors abusing Microsoft-signed drivers in targeted attacks against organizations in the telecommunication, business process outsourcing (BPO), managed security service provider (MSSP), and financial services industries. This month, SophosLabs also reported their discovery of a cryptographically signed Windows driver and an executable loader application that terminates endpoint security processes and services on targeted machines.

In this blog entry, we discuss the reasons why malicious actors choose to and opt not to pursue kernel-level access in their attacks. It also provides an overview of kernel-level threats that have been publicly reported from April 2015 to October 2022. We provide a more comprehensive analysis of the state of noteworthy Windows kernel threats in our research paper, “An In-depth Look at Windows Kernel Threats,” that we will be publishing in January 2023.

The pros and cons of pursuing kernel-level access

For malicious actors, gaining unfettered access to the kernel is optimal for their attacks. Not only will they be able to execute malicious code at the kernel level, but they will also be able to impair their victims’ security defenses to remain undetected. However, it’s important to note that there are also downsides to developing kernel-level rootkits and other low-level threats.

Pros

• Gaining very high-privileged access to system resources
• Hiding malicious activity on devices and making detection and response activities more difficult
• Protecting malicious artifacts from normal system filtering processes
• Executing stealth operations that can bypass detection for extended periods
• Gaining inherited trust from third-party antivirus products
• Tampering with core services’ data flow that multiple user-mode applications depend on
• Tampering with third-party security products that hinder malicious activity 
• Achieving a very low detection rate. According to intelligence reports, most modern rootkits remain undetected for a long period. 

Cons

• Developing these threats can be expensive. 
• Developing and implementing kernel rootkits are more difficult compared to other user-mode application malware types, which does not make them the ideal threat for most attacks. 
• The development of kernel rootkits involves highly qualified kernel-mode developers who understand the targeted operating system’s internal components and have a sufficient level of competence when it comes to reverse engineering system components.
• Since kernel rootkits are more sensitive to errors, they might reveal the whole operation if it crashed the system and triggered the blue screen of death (BSOD) due to code bugs in the kernel module.
• Introducing a kernel-mode component will complicate the attack more than it will support it if the victim’s security mechanisms are already ineffective or can be taken down via a simpler technique.

How widespread are kernel threats?

We analyzed in-the-wild threats that either completely rely on a kernel driver component or have at least one module in their attack chain that executes in the kernel space. These kernel-level threats were reported between April 2015 and October 2022 and do not include proofs of concept. The full analysis of collected kernel-level threat data can be found in our research paper, “An In-depth Look at Windows Kernel Threats.”  

In our research, we categorized kernel-level threats into three clusters based on observable techniques:

Cluster 1: Threats that bypass kernel mode code signing (KMCS) policy

Cluster 2: Threats that comply with KMCS using legitimate create-your-own-driver techniques

Cluster 3: Threats that shift to a lower abstraction layer

We delve deeper into and provide real-world examples of these clusters on our landing page that we will also be publishing in January 2023.

Based on our observation, the number of noteworthy threats and other major events that have been publicly reported in the last seven years show a steady upward trend from 2018 onwards.