Evading Security Products for Credential Dumping Through Exploiting Vulnerable Driver in Windows Operating Systems

Evading Security Products for Credential Dumping Through Exploiting Vulnerable Driver in Windows Operating Systems

연구 분야: Strategies

학회: International Conference on Future Data and Security Engineering

Device drivers play an essential role in operating systems; therefore, they are always on the target of bug hunters. Many vulnerabilities have been reported for decades, and the number of new ones is increasing every year. Although the drivers would be patched in the newer version, the older ones are still benign programs with signed digital signatures trusted by antivirus software. Cyber adversaries can use the unsafe version of drivers to perform malicious actions. This study demonstrates how to use an old version from 2012 of the Intel Network Adapter Diagnostic Driver for Windows OS credential dumping. We successfully collect credentials in the memory without any notification from the antivirus programs. By evading almost all the current security products with an aged driver, our results raise awareness for the potential threat from vulnerable drivers and the call for mechanisms to counter this attack technique.