Bypassing EDR through Retrosigned Drivers and System Time Manipulation
The Retrosigned Driver EDR Bypass is a novel modification of a technique employed by multiple ransomware groups to bypass EDR and limit visibility into malicious actions by abusing expired code signing certificates to load malicious kernel drivers.
Summary
Aon's Stroz Friedberg Incident Response Services ("Stroz Friedberg") has observed ransomware actors utilizing an Endpoint Detection and Response (“EDR”) solution bypass technique dubbed “Retrosigned Driver EDR Bypass” to terminate EDR and to limit visibility of EDR telemetry. This technique involves loading a malicious driver signed with an out-of-date code signing certificate and then manipulating the system time on the target system during the loading process. Once loaded, the driver is utilized to terminate running processes.
Background
Drivers are essential pieces of software that allow the operating system to communicate with hardware devices. They serve as a bridge between the system and the hardware, ensuring that peripheral devices like printers, graphics cards, and network adapters function correctly. Given their critical role, drivers operate with high privileges within the system, making them a prime target for malicious exploitation.
To mitigate the risks associated with driver installation, Microsoft Windows enforces a driver signing process. Driver signing involves the use of cryptographic certificates issued by trusted authorities to verify that the driver code has not been tampered with and originates from a legitimate source. This process ensures that only authorized drivers can be installed, adding a layer of security. However, when attackers find ways to bypass these protections, it opens the door for malicious drivers to be loaded, posing significant threats to system integrity.
Due to the privileged nature of kernel drivers and their potential for abuse, starting in Windows Vista, Microsoft implemented restrictions that required drivers to be signed by trusted software developers, preventing the loading of unsigned drivers. This required developers to obtain code signing certificates from a certificate authority to cryptographically attest that they were the authors of the driver being loaded. Beginning in Windows 10 1607 Microsoft tightened these requirements to only allow drivers that were signed by Microsoft to be loaded. However, to ensure backwards compatibility, Microsoft still allowed for kernel mode drivers to be loaded under certain circumstances, including if the driver was signed with “an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA.”1
These restrictions, combined with the increasing deployment of EDR across the industry lead threat actors to explore an alternate class of attack termed “Bring Your Own Vulnerable Driver” or “BYOVD” in which a threat actor would use a vulnerability in a legitimately signed driver to gain kernel level access. This access can then be used to kill processes such as EDR. Stroz Friedberg has previously written about this technique here. Microsoft addressed this technique through the creation of the vulnerable driver blocklist which prevented known vulnerable drivers from being loaded.
Cisco Talos previously documented a technique in which threat actors forged certificate validity dates in order to make expired cross-signing code certificates appear valid during the signing process. The Retrosigned Driver technique Stroz Friedberg observed employs a distinct methodology and relies on manipulating the certificate validity time checks on targeted systems as opposed to manipulating the signing process. However, both techniques leverage on the same architectural decision in Windows to trust cross-signed code from third party certificates prior to 2015 and result in similar impact.
Retrosigned Driver EDR Bypass
Retrosigned Drivers extends previous techniques by altering the system clock on the target system to load malicious kernel drivers that were signed by historically compromised expired cross-signing certificates. The following Retrosigned Driver attack pattern was observed by Stroz Friedberg:
- Stop the Windows Time Service to prevent time synchronization through Active Directory Domain Services.
- net stop w32time & w32tm /unregister
- Set the date during the validity period of the certificate
- Example: powershell -command Set-Date -Date "6/23/2015"
- Execute malware which loads a driver signed by a certificate valid prior to July 29th, 2015.
- Kill the EDR processes using the newly loaded driver.