Detecting Risky Third-party Drivers on Windows Assets

Kernel-mode drivers are critical yet risky components of the Windows operating system. Learn about their functionality, the dangers they pose, and how Tenable's new plugins can help identify and mitigate vulnerabilities using community-driven resources like LOLDrivers.

Windows is an operating system that, over its 40-plus years of history, has developed more than a few arcane components that are a mystery to many systems administrators. The kernel-mode driver is one component that’s fresh in the minds of many of those administrators these days.

What is a kernel-mode driver?

Kernel-mode drivers operate at a higher level of privilege than user-mode drivers and provide applications on a Windows system with a way to interact directly with the Windows kernel and hardware.This allows games to talk directly to a graphics card or a security product to talk directly to core components of the OS. When your software needs to communicate with the highest level of efficiency, accept no substitute!

Why are kernel-mode drivers risky?

If a kernel-mode driver misbehaves, it can cause much more serious issues with Windows than a user-mode driver does.The problems can range from data corruption and damage to the operating system to outright crashes and an inability to use the machine. A recent worldwide computing incident was caused by an update to a kernel-mode driver in a popular endpoint security product.

That said, thousands of software products use kernel-mode drivers safely on billions of devices every day. A kernel-mode driver on a Windows asset is normal and not usually cause for concern. However, there are some drivers for which Windows administrators should keep watch.

Which kernel-mode drivers should I worry about?

Some widely distributed kernel-mode drivers contain vulnerabilities that are known to attackers. These attackers know that when they breach a Windows machine, they can look at the kernel-mode drivers running on it to see if any of them are familiar and can be readily used to elevate their privileges on the machine.

Of course, with administrative privileges, attackers can also load new drivers onto a machine. They may attempt to install a known vulnerable driver or a custom-made malicious driver to provide themselves with more tools to control the victim host.

A community-driven initiative called LOLDrivers - or “Living Off the Land Drivers”, in reference to attackers who “live off the land” by using tools already on their victim machine - emerged in the last few years, cataloging known vulnerable or malicious drivers. By maintaining an up-to-date list of these problematic drivers, the project aims to provide a valuable resource for security professionals seeking to defend against these techniques. Incorporating this list into security tools, such as driver enumeration plugins, enables proactive detection and mitigation of threats before they can cause harm.

What is Tenable doing to help mitigate this risk?

Tenable Research has developed a new set of plugins for Tenable Nessus, Tenable Security Center, Tenable Vulnerability Management and Tenable One to help practitioners gain visibility into the risky third-party drivers on their assets.

First, the Windows System Driver Enumeration plugin will list the third-party (i.e., those not provided by Microsoft) kernel-mode drivers installed on a Windows machine. Scan results will document all detected third-party system drivers and can provide an inventory across an organization’s Windows population. The results are not indicative of malicious activity by themselves – they are a way to provide awareness of which drivers have privileged access to Windows machines. Second, the LOLDrivers Detected plugin will cross-reference the list of drivers detected in the prior plugin with the list published by the LOLDrivers project. These drivers are either known to be malicious or are vulnerable to known attacks and should be remediated.

Tenable Research recommends regularly reviewing the results for the second plugin and investigating them by reviewing the relevant entry on the LOLDrivers website. If a malicious file is detected, initiating an incident investigation is appropriate, as you would in any case of detecting malware. A known vulnerable driver should be updated in accordance with the instructions from the vendor that provided the driver.

If there is a concern about a legitimate driver that might cause an impact to the environment, the enumeration plugin will allow a broader view into the organization’s driver inventory for a faster way to identify affected assets. Unsure what you should do about a specific driver that’s been detected? Contact the vendor that created the driver, as they’re the best resource to provide details on how it is used with their software and why it needs kernel access.

Enhancing security awareness with driver enumeration tools

Staying ahead of potential threats is crucial. The new driver enumeration plugin, leveraging the power of the LOLDrivers project, offers a practical and effective solution for enhancing system security by improving a security team’s awareness of a source of risk to their Windows assets.