LSASS Driver

Information

• Name: LSASS Driver

• ID: T1547.008

• Tactics: TA0003, TA0004

• Technique: T1547

Introduction

The LSASS Driver sub-technique (T1547.008) within the MITRE ATT&CK framework refers to adversaries leveraging malicious drivers to interact with or manipulate the Local Security Authority Subsystem Service (LSASS). LSASS is a critical Windows process responsible for enforcing security policies, authentication, and handling sensitive credential data. Attackers exploit this sub-technique to maintain persistence, escalate privileges, or extract sensitive credentials directly from memory, thereby compromising the security posture of the affected environment.

Deep Dive Into Technique

Attackers employing the LSASS Driver sub-technique typically use kernel-mode drivers to access or manipulate LSASS memory, bypassing user-mode security controls and evading detection. These drivers operate with high-level privileges, granting adversaries significant control over system operations.

Technical details of execution methods include:

• Kernel-mode Drivers: Attackers load malicious drivers into kernel space, enabling direct interaction with LSASS memory structures. Kernel-mode drivers have unrestricted access on the system, allowing adversaries to bypass traditional user-mode protections.

• Credential Extraction: Malicious drivers may directly read LSASS memory to extract plaintext passwords, NTLM hashes, Kerberos tickets, and other sensitive credential data.

• Process Injection and Hooking: Attackers may use drivers to inject malicious code into LSASS or hook API calls, facilitating stealthy credential harvesting and persistence mechanisms.

• Bypassing Security Controls: Kernel-mode drivers enable attackers to evade endpoint detection and response (EDR) tools, antivirus software, and other security solutions that primarily monitor user-space activities.

• Persistence and Privilege Escalation: Malicious drivers can ensure persistent access by surviving system reboots and updates, and can escalate privileges through direct kernel-level access.

Real-world procedures involve adversaries using legitimate driver signing certificates—either stolen or fraudulently obtained—to bypass Windows Driver Signature Enforcement, or exploiting vulnerabilities in legitimate drivers (Bring Your Own Vulnerable Driver—BYOVD) to load malicious code.

When this Technique is Usually Used

The LSASS Driver sub-technique typically appears at various stages of cyber-attacks, including:

• Privilege Escalation Stage: Attackers leverage kernel-mode drivers to elevate privileges from user-level accounts to SYSTEM-level permissions, providing unrestricted access to system resources.

• Credential Access Stage: Malicious drivers directly interact with LSASS memory to extract credentials, enabling lateral movement and deeper network compromise.

• Persistence Stage: Attackers embed malicious drivers in the system to maintain persistent access, surviving reboots, security updates, and endpoint security scans.

• Defense Evasion Stage: Kernel-level drivers allow attackers to bypass security controls and evade detection by endpoint protection tools and antivirus solutions.

• Advanced Persistent Threat (APT) Operations: Sophisticated threat actors frequently employ this sub-technique to conduct long-term espionage, data exfiltration, and targeted attacks.

How this Technique is Usually Detected

Detection of the LSASS Driver sub-technique involves a combination of endpoint monitoring, memory analysis, and kernel-level inspection. Detection methods and tools include:

• Endpoint Detection and Response (EDR) Solutions:

  • Monitor kernel-mode driver loading events and flag unusual or unsigned drivers.

  • Alert on suspicious interactions between drivers and LSASS processes.

  • Detect abnormal memory reads or writes to LSASS memory space.

• Sysmon (System Monitor) and Windows Event Logs:

  • Track driver loading events (Event ID 6) and identify suspicious drivers.

  • Identify unusual process interactions and kernel-mode driver activities.

• Memory Forensics and Analysis:

  • Analyze memory dumps of LSASS for evidence of credential harvesting or unauthorized access.

  • Detect unusual kernel-mode hooks or injected code within LSASS memory.

• Driver Signature Verification:

  • Regularly verify driver signatures and detect drivers signed with suspicious or revoked certificates.

  • Identify drivers loaded using vulnerable or outdated legitimate drivers (BYOVD attacks).

Indicators of compromise (IoCs) include:

• Presence of suspicious or unknown kernel-mode drivers in %SystemRoot%\System32\drivers\.

• Unusual LSASS memory access patterns, particularly from kernel-mode drivers.

• Drivers signed with revoked, stolen, or suspicious digital certificates.

• Unexpected system crashes or stability issues potentially caused by malicious kernel-mode drivers.

• Abnormal registry modifications related to driver loading and persistence.

Why it is Important to Detect This Technique

Detecting the LSASS Driver sub-technique is critical due to its severe implications for system and network security. Early detection is essential because:

• Credential Theft Risk: Successful exploitation allows attackers to harvest critical credentials, enabling lateral movement, privilege escalation, and complete compromise of enterprise environments.

• Persistence and Stealth: Kernel-mode drivers offer attackers a robust and stealthy persistence mechanism, often undetected by standard endpoint security solutions.

• High-Level Privileges: Malicious drivers operate with kernel-level privileges, granting attackers unrestricted access to sensitive system resources, processes, and data.

• Evasion of Traditional Security Controls: Kernel-mode attacks bypass most user-level security measures, making them particularly dangerous and challenging to detect using conventional methods.

• System Stability and Integrity: Malicious drivers can cause system instability, crashes, or corruption, potentially impacting critical business operations and leading to service disruptions.

• Compliance and Regulatory Concerns: Failure to detect and remediate kernel-mode driver attacks can result in regulatory non-compliance, data breaches, and significant financial or reputational damage.

Examples

Real-world examples involving the LSASS Driver sub-technique include:

• Turla Group (Snake/Uroburos Malware):

  • Russian APT group known for deploying kernel-mode rootkits interacting with LSASS to extract credentials and maintain persistent access.

  • Uses advanced kernel-mode drivers to evade detection by antivirus and endpoint protection solutions.

• Lazarus Group (North Korean APT):

  • Utilized kernel-mode drivers in targeted attacks to extract credentials from LSASS memory, facilitating lateral movement across compromised networks.

  • Known for leveraging stolen or forged driver signing certificates.

• RobinHood Ransomware:

  • Employed malicious kernel-mode drivers to disable endpoint security products and gain unrestricted access to LSASS memory, enabling credential theft and lateral movement.

  • Leveraged a signed but vulnerable legitimate driver ("gdrv.sys") to load malicious kernel-mode code (BYOVD attack).

• BlackEnergy Malware:

  • Known for interacting with LSASS through kernel-mode drivers to maintain stealthy persistence and credential access in critical infrastructure attacks, notably against Ukrainian power grids.

• Winnti Group:

  • Chinese APT group utilizing kernel-mode drivers to manipulate LSASS and extract sensitive credentials, enabling espionage operations and prolonged network compromise.

In these examples, adversaries commonly employ sophisticated kernel-mode drivers, legitimate driver certificates, and vulnerable legitimate drivers to bypass security mechanisms, extract sensitive credentials, and maintain persistent, stealthy access across compromised environments.