Windows kernel threats have long been favored by malicious actors because it can allow them to obtain high-privileged access and detection evasion capabilities. These hard-to-banish threats are still crucial components in malicious campaigns’ kill chains to this day. In fact, SentinelOne recently discovered malicious actors abusing Microsoft-signed drivers in targeted attacks against organizations in the telecommunication, business process outsourcing (BPO), managed security service provider (MSSP), and financial services industries. This month, SophosLabs also reported their discovery of a cryptographically signed Windows driver and an executable loader application that terminates endpoint security processes and services on targeted machines.
In this blog entry, we discuss the reasons why malicious actors choose to and opt not to pursue kernel-level access in their attacks. It also provides an overview of kernel-level threats that have been publicly reported from April 2015 to October 2022. We provide a more comprehensive analysis of the state of noteworthy Windows kernel threats in our research paper, “An In-depth Look at Windows Kernel Threats,” that we will be publishing in January 2023.
The pros and cons of pursuing kernel-level access
For malicious actors, gaining unfettered access to the kernel is optimal for their attacks. Not only will they be able to execute malicious code at the kernel level, but they will also be able to impair their victims’ security defenses to remain undetected. However, it’s important to note that there are also downsides to developing kernel-level rootkits and other low-level threats.