Category: Detection and Threat Hunting
During the week of June 21st, 2021, information security researchers from G Data discovered that a driver for Microsoft Windows named “netfilter.sys” had a backdoor added by a 3rd party that Microsoft then signed as a part of the Microsoft OEM program. The malicious file is installed on a victim’s system as a component of an attack as part of the post-exploitation process. This means that the attacker must either have gained administrative privileges or already had access to run the installer to update the registry and install the malicious driver. This can occur during the post-exploitation process or set up to install the next time the system starts. Additionally, the victim can be convinced to install the driver as part of a pretexting attack. At present, Microsoft has not seen the enterprise environment targeted, rather individual users at this time.
Investigating Malicious Drivers
Several tools can be used to check systems for indications of malicious drivers. For example, tools such as SysInternals Autoruns and LOG-MD can investigate autoruns or persistence entries, with drivers being one type of persistence on a Windows server and workstation systems.
On a Windows system, drivers tend to be loaded from typically three locations:
- C:\Windows\System32\Drivers
- C:\WINDOWS\system32\DriverStore\FileRepository
- Applications installed directory typically under “Program Files” or “Program Files x86”.
The malicious netfilter driver, in this case, can be found in a folder that drivers should never exist. The odd driver location is a good artifact for execution detection and threat hunting. Any binary found in the following folder should be investigated:
- %AppData% – C:\Users\<username>\AppData\Roaming
Windows also provides a built-in utility “driverquery” that can list the drivers, the state of the driver (running or stopped), and the driver’s key (location from which the driver was loaded). To get a list of all the drivers of a system into CSV format that can then be opened in Microsoft Excel, execute the following command in an administrative command prompt:
- driverquery /v /fo CSV | find /i /v “system32\drivers\” | find /i /v “driverstore” > C:\Windows\Temp\Driver_List_%computername%.csv
This command will filter out the two primary locations drivers are loaded, providing a short list of drivers on the system that should be investigated. This command also includes the name of the system appended to the output filename to allow for easier review of artifacts collected from multiple systems.
Detecting the netfilter driver and similar malicious payloads is as simple as looking for binaries and drivers loaded from atypical locations. Add a rule to your SIEM, log management, EDR, or similar security tooling that looks for process execution (event ID 4688 of the Windows security log) from the following locations:
- C:\Program Files
- C:\Program Files x86
- C:\ProgramData
- %AppData% – C:\Users\<username>\AppData\Roaming
- %LocalAppData% – C:\Users\<username>\AppData\Local
In order to collect event ID 4688, the Windows Advanced Audit Policy will need to have the following policy enabled:
- Detailed Tracking – Audit Process Creation
We hope this information can assist in your detection and threat hunting efforts to detect this and similar types of attacks.
The following indicators of compromise (IOCs) are provided to help in detection and threat hunting activities.
Folders the file(s) can be found
- %AppData% – C:\Users\<username>\AppData\Roaming
Filenames
- Netfilter.sys
- Sdl.sys
- File.sys
IP Addresses
- 110.42.4[.]180
- 45.113.202[.]180
File Hashes
- 04a269dd0a03e32e5b2a1c8ab0768791962e040d080d44dc44dab01dd7954f2b
- 0856a1da15b2b3e8999bf9fc51bbdedd4051e21fab1302e2ce766180b4931d86
- 0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5
- 0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec
- 115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406
- 12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df
- 12c0002af719c6abbc1e726b409fce099fffb90f758477f5295c152bde504caa
- 16b6be03495a4f4cf394194566bb02061fba2256cc04dcbde5aa6a17e41b7650
- 18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1
- 1aa8ba45f9524847e2a36c0dc6fd80162923e88dc1be217dde2fb5894c65ff43
- 1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af
- 1d1f7e26109e6cb28c6b369c937b407d7b0cce3c4800ce9852eda94742b12259
- 1d60819f0ab8547dcd4eb18d39a0c317ec826332afa19c0a6af94bc681a21f14
- 1f05f74ebae7e65d389703d423445ffb269e657d8278b0523417e1f72b0228eb
- 1f90d9c4d259c1fde4c7bb66a95d71ea0122e4dfb75883a6cb17b5c80ce6d18a
- 22da5a055b7b17c69def9f5af54e257c751507e7b6b9a835fcf6245ab90ae750
- 22f6fe6bd62fb03f7aee489cccbc918999f49596052ac0153c02cd7a3320de13
- 23c061933d471c1f959c77806098ec0528d9b1d0130689bb3f417dd843138468
- 24ea733bae1b8722841fb4c6cead93c4c4f0b1248ca9a21601b1ce6b95b06864
- 26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe
- 26f2b9cf6e0fb50bad49a367bee63e808f1d53c476b38642d13c7db6e50687f4
- 2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3
- 314affdc86f62c8f8069ccd50a2cdf73bcd319773a031be700ba97a1ea4129a8
- 34c890fa43ca0e5165a4960549828ba43d7f48a216a22fc46204548ebfc34f72
- 3700b38d63d426ff0a985226b45eca6e24d052f4262d12aff529e62c2cb889c3
- 40c45c9b1c764777096b59f99ae524cbd25b88c805187e615c3ed6840f3d4c15
- 45ee083e28fbb33afa41b1b8cd00d94c29dea8cb7cee70bae4079e6c3dfb5501
- 4ce61ad21f186cf10dbcc253feee31262203cb5c12c5a140d2dda5447c57aba1
- 516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13
- 5cb1dc26159c6700d6cadece63f6defda642ec1a6d324daefb0965b4e3746f70
- 5d0d5373c5e52c4405f4bd963413e6ef3490b7c4c919ec2d4e3fb92e91f397a0
- 62d7c5465852cdb7b59a86c20b4de5991c8f4820ce11a7c01cf0dde6032e500d
- 630d7bdc20f33e6f822f52533a324865694886b7b74dfaad1dc30c9aee4260a2
- 635273eaa4c2e20c4ec320c6c8447ce2e881984e97c9ed6aeec4fad16b934e81
- 63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0
- 640eeb3128ae5c353034ee29cb656d38c41353743396c1c936afd4d04a782087
- 6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0
- 6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660
- 6a6db5febdaf3f1577bf97c6e1e24913e6c78b134062c02fd1f9875099c03a3f
- 6c7f24d8ed000bc7ce842e4875b467f9de1626436e051bd351adf1f6f8bbacf8
- 70b63dfc3ed2b89a4eb8a0aa6c26885f460e5686d21c9d32413df0cdc5f962c7
- 79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617
- 7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4
- 8249e9c0ac0840a36d9a5b9ff3e217198a2f533159acd4bf3d9b0132cc079870
- 8e0b330a8df3076153638f5b76afc24d1083ebccc60e4d63ee0df5c11c45d58a
- 93d99a5fbfc888c0a40a18946933121ae110229dcf206b4d17116a57e7cf4dc9
- 97030f3c81906334429afebbf365a89b66804ed890cd74038815ca18823d626c
- 9b55b35284346bbcdc2754e60517e1702f0286770a080ee6ff3e7eed1cab812a
- 9f9315790d0b0cc5213ac9a8eff0968cccc0a6c469b50d6598ce759748fe74bf
- 9f9ebd6cd9b5b33ab2780122ee9c5feec84927f362890a062d13ef9816c7b85f
- a0050c33c8263da02618872d642617959b3564fe173985e078bfedb89df93724
- aa97f4f98ff842b1bfd78e920fcb1dedaec3f882dd19311bba6037430868e7a7
- ad2dd8a68ce22d0959f341e9269e8033b34362b34bdea50b8ee2390907f1a610
- b2cd9cca011064d03ddd8fe3521ce0e9f9d8b16f63e4ecaf03eacfef47d22dbf
- b7516dca419d087ef844c42e061a834908f34e7363577ab128094973896222c8
- b847e717215e0198cb4e863bd96390613f83eb92693171be50ca14255c5fb088
- bbc58fd69ce5fed6691dd8d2084e9b728add808ffd5ea8b42ac284b686f77d9a
- bfb4603902c6c9ff32bc36113280ee8b5687cc3ef4c0ff9fc56f2925c7f342f0
- c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99
- c2f23ad4e2f12c490cfd589764464e293d5d56c31b6b3f5081e2d677384cb2fe
- c95af9eb52111b72563875d85d593d96d7e54e19690827a052377c77cc80e06f
- caa0d9bb7ed2d21a76b71dfc22ffaef80371de8af2a03b8103cbcec332897a88
- d0e1639e6386ef3c063bfae334fcc35cdfa85068ac1a65bb58f2463276c31ac9
- d1ac4d07ba6fe1dd988c471975e49e35b83d03a9b9d626fa524fd8300b80b14a
- d4335f4189240a3bcafa05fab01f0707cc8e3dd7a2998af734c24916d9e37ca8
- d60fdabaf5a0ab375361d2ed1a9b39832bdb8bd33466d6c43d42a48ba2ffd274
- e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37
- e2449ccc74e745c0339850064313bdd8dc0eff17b3a4e0882184c9576ac93a89
- e8e7f2f889948fd977b5941e6897921da28c8898a9ca1379816d9f3fa9bc40ff
- edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed
- ee6d0d0ea24be622521ee1a4defa5d5729b99ee2217ac65701d38d05dbc0d4e6
- f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71
- f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca
- fd8a5313bf63f5013dc126620276fb4f0ef26416db48ee88cbaaca4029df1d73
- Microsoft MSRC Article on the malicious driver – https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/
- G Data Article on the malicious driver – https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit
- Windows Logging Cheat Sheets – https://www.malwarearchaeology.com/cheat-sheets
- Florian Roth’s github data on the malicious driver – https://docs.google.com/spreadsheets/d/1FYgBmJH8MOli99oIqRsIHJA2XzI3aSdAOb9mZmqj_q0/edit