Christopher Vella (Kharosx0)
Christopher Vella is a security researcher @ Microsoft (MORSE) and develops trainings and custom vulnerability research tooling @ Signal Labs
Session
Bring your own vulnerable driver (BYOVD) is a technique used by many APTs and ransomware groups to gain privileged Kernel access to a Windows target, typically to terminate security software running in protected processes on the host that cannot be modified by regular processes.
Its enough of a threat that Microsoft keep a list of vulnerable drivers that can be blocked from installation on Windows systems. Does this actually stop attackers though? How common are vulnerable signed Kernel drivers?
This talk explores how I built tooling to automatically pull down hundreds of random signed drivers, perform automated analysis on them and also perform automated exploit generation to easily generate weaponised BYOVD bundles that are not known or present in the Window's blocklist.