![](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/22\/A%20Closer%20Look%20at%20Windows%20Kernel%20Threats_641.jpg\")
<\/p>\n<\/p>\n
<\/div>\nWindows kernel threats have long been favored by malicious actors because it can allow them to obtain high-privileged access and detection evasion capabilities. These hard-to-banish threats are still crucial components in malicious campaigns\u2019 kill chains to this day. In fact, SentinelOne recently discovered malicious actors abusing Microsoft-signed drivers in targeted attacks<\/a> against organizations in the telecommunication, business process outsourcing (BPO), managed security service provider (MSSP), and financial services industries. This month, SophosLabs also reported their discovery of a cryptographically signed Windows driver and an executable loader application that terminates endpoint security processes and services<\/a> on targeted machines.<\/p>\n In this blog entry, we discuss the reasons why malicious actors choose to and opt not to pursue kernel-level access in their attacks. It also provides an overview of kernel-level threats that have been publicly reported from April 2015 to October 2022. We provide a more comprehensive analysis of the state of noteworthy Windows kernel threats in our research paper, \u201cAn In-depth Look at Windows Kernel Threats,\u201d that we will be publishing in January 2023.<\/p>\n For malicious actors, gaining unfettered access to the kernel is optimal for their attacks. Not only will they be able to execute malicious code at the kernel level, but they will also be able to impair their victims\u2019 security defenses to remain undetected. However, it\u2019s important to note that there are also downsides to developing kernel-level rootkits and other low-level threats.<\/p>\n Pros<\/b><\/p>\n Cons<\/b><\/p>\n We analyzed in-the-wild threats that either completely rely on a kernel driver component or have at least one module in their attack chain that executes in the kernel space. These kernel-level threats were reported between April 2015 and October 2022 and do not include proofs of concept. The full analysis of collected kernel-level threat data can be found in our research paper, \u201cAn In-depth Look at Windows Kernel Threats.\u201d <\/p>\n In our research, we categorized kernel-level threats into three clusters based on observable techniques:<\/p>\n Cluster 1: Threats that bypass kernel mode code signing (KMCS) policy<\/p>\n Cluster 2: Threats that comply with KMCS using legitimate create-your-own-driver techniques<\/p>\n Cluster 3: Threats that shift to a lower abstraction layer<\/p>\n We delve deeper into and provide real-world examples of these clusters on our landing page that we will also be publishing in January 2023.<\/p>\n Based on our observation, the number of noteworthy threats and other major events that have been publicly reported in the last seven years show a steady upward trend from 2018 onwards.<\/p>\n<\/p><\/div>\nThe pros and cons of pursuing kernel-level access<\/span><\/h2>\n
\n
\n
How widespread are kernel threats?<\/span><\/h2>\n