Bypassing EDR through Retrosigned Drivers and System Time Manipulation

Bypassing EDR through Retrosigned Drivers and System Time Manipulation
Cyber Labs

01 of 12

This insight is part 01 of 12 in this Collection.

September 13, 2024 9 mins

Bypassing EDR through Retrosigned Drivers and System Time Manipulation

The Retrosigned Driver EDR Bypass is a novel modification of a technique employed by multiple ransomware groups to bypass EDR and limit visibility into malicious actions by abusing expired code signing certificates to load malicious kernel drivers.

Summary

Aon's Stroz Friedberg Incident Response Services ("Stroz Friedberg") has observed ransomware actors utilizing an Endpoint Detection and Response (“EDR”) solution bypass technique dubbed Retrosigned Driver EDR Bypass to terminate EDR and to limit visibility of EDR telemetry. This technique involves loading a malicious driver signed with an out-of-date code signing certificate and then manipulating the system time on the target system during the loading process. Once loaded, the driver is utilized to terminate running processes

Background

Drivers are essential pieces of software that allow the operating system to communicate with hardware devices. They serve as a bridge between the system and the hardware, ensuring that peripheral devices like printers, graphics cards, and network adapters function correctly. Given their critical role, drivers operate with high privileges within the system, making them a prime target for malicious exploitation.

To mitigate the risks associated with driver installation, Microsoft Windows enforces a driver signing process. Driver signing involves the use of cryptographic certificates issued by trusted authorities to verify that the driver code has not been tampered with and originates from a legitimate source. This process ensures that only authorized drivers can be installed, adding a layer of security. However, when attackers find ways to bypass these protections, it opens the door for malicious drivers to be loaded, posing significant threats to system integrity.

Due to the privileged nature of kernel drivers and their potential for abuse, starting in Windows Vista, Microsoft implemented restrictions that required drivers to be signed by trusted software developers, preventing the loading of unsigned drivers. This required developers to obtain code signing certificates from a certificate authority to cryptographically attest that they were the authors of the driver being loaded. Beginning in Windows 10 1607 Microsoft tightened these requirements to only allow drivers that were signed by Microsoft to be loaded. However, to ensure backwards compatibility, Microsoft still allowed for kernel mode drivers to be loaded under certain circumstances, including if the driver was signed with “an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA.”1

These restrictions, combined with the increasing deployment of EDR across the industry lead threat actors to explore an alternate class of attack termed “Bring Your Own Vulnerable Driver” or “BYOVD” in which a threat actor would use a vulnerability in a legitimately signed driver to gain kernel level access. This access can then be used to kill processes such as EDR. Stroz Friedberg has previously written about this technique here. Microsoft addressed this technique through the creation of the vulnerable driver blocklist which prevented known vulnerable drivers from being loaded.

Cisco Talos previously documented a technique in which threat actors forged certificate validity dates in order to make expired cross-signing code certificates appear valid during the signing process. The Retrosigned Driver technique Stroz Friedberg observed employs a distinct methodology and relies on manipulating the certificate validity time checks on targeted systems as opposed to manipulating the signing process. However, both techniques leverage on the same architectural decision in Windows to trust cross-signed code from third party certificates prior to 2015 and result in similar impact.

Retrosigned Driver EDR Bypass

Retrosigned Drivers extends previous techniques by altering the system clock on the target system to load malicious kernel drivers that were signed by historically compromised expired cross-signing certificates. The following Retrosigned Driver attack pattern was observed by Stroz Friedberg:

  • Stop the Windows Time Service to prevent time synchronization through Active Directory Domain Services.
    • net stop w32time & w32tm /unregister
  • Set the date during the validity period of the certificate
    • Example: powershell -command Set-Date -Date "6/23/2015"
  • Execute malware which loads a driver signed by a certificate valid prior to July 29th, 2015.
  • Kill the EDR processes using the newly loaded driver.

Stroz Friedberg analyzed the recovered sample and confirmed that it was able to successfully load the driver and kill the targeted EDR, but only when the system time was changed to a period within the validity date of the driver. Stroz Friedberg observed similar samples across several engagements involving threat actors which deployed the Medusa and Abysslocker ransomware variants.

The recovered samples had code overlaps with previously known malware samples tracked as POORTRY and STONESTOP. When these malware families were previously identified, they were signed using a Microsoft Hardware Compatibility Program certificate as opposed to an out-of-date signing certificate.

Stroz Friedberg reported their findings to the targeted EDR vendor and provided Microsoft the malicious drivers and associated certificates, along with a description of the technique. Stroz Friedberg held publication of this post for a 60-day period after the disclosure.

Detection Mechanisms

  • Time changes
    • Kernel-General Event ID 1: Time Changed.
    • Security Event ID 4616: Time Changed.
    • Out of sequence MFT records.
  • System Event 7034 – EDR service terminated unexpectedly.
  • System Event 7045 – Service install of malicious driver.
  • System Registry Key update ROOT\ControlSet001\Services\[Malicious Driver].
  • Sysmon Event ID 11 – Creation of malicious .sys driver file.
  • PowerShell command execution: Date change.
  • PowerShell command execution: Stopping time service.

Contact

If you suspect you are compromised or need assistance in assessing compromise, please call our Incident Response hotline. If you are from a Law Enforcement Agency or Endpoint Detection and Response vendor and wish for more details, please contact Aon Cyber Solutions.

Authors
  • John Ailes
    DFIR
  • Zachary Reichert
    DFIR
Contributors
  • Partha Alwar
    DFIR

About Cyber Solutions:

Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document. While care has been taken in the preparation of this material and some of the information contained within it has been obtained from sources that Stroz Friedberg believes to be reliable (including third-party sources), Stroz Friedberg does not warrant, represent, or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article and accepts no liability for any loss incurred in any way whatsoever by any person or organization who may rely upon it. It is for informational purposes only. You should consult with your own professional advisors or IT specialists before implementing any recommendation or following the guidance provided herein. Further, we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. Further, this article has been compiled using information available to us up to 9/13/2024.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

Aon's Better Being Podcast

Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.

Aon Insights Series UK

Expert Views on Today's Risk Capital and Human Capital Issues

Construction and Infrastructure

The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.

Cyber Labs

Stay in the loop on today's most pressing cyber security matters.

Cyber Resilience

Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.

Employee Wellbeing

Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.

Environmental, Social and Governance Insights

Explore Aon's latest environmental social and governance (ESG) insights.

Q4 2023 Global Insurance Market Insights

Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.

Regional Results

How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.

Human Capital Analytics

Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.

Insights for HR

Explore our hand-picked insights for human resources professionals.

Workforce

Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.

Mergers and Acquisitions

Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.

Navigating Volatility

How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?

Parametric Insurance

Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.

Pay Transparency and Equity

Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.

Property Risk Management

Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.

Technology

Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.

Top 10 Global Risks

Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.

Trade

Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.

Weather

With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.

Workforce Resilience

Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.

More Like This

View All
View All
Subscribe CTA Banner