STONESTOP

MITRE ATT&CK list includes "T1195.002: Compromise Software Supply Chain" and the text discusses malicious drivers certified via Microsoft’s Windows Hardware Developer Program.

MITRE ATT&CK list includes "T1106: Native API"

Attackers used Windows Service Control (sc.exe) to load the driver: sc create fgt binPath= %TEMP%\fgt.sys type= kernel sc start fgt

use a loader named ‘STONESTOP’ to install a malicious signed driver dubbed ‘POORTRY’, which is designed to terminate processes associated with security software and to delete files as part of a Bring Your Own Vulnerable Driver (BYOVD) attack.

Attackers used Windows Service Control (sc.exe) to load the driver: sc create fgt binPath= %TEMP%\fgt.sys type= kernel sc start fgt

Poortry (also sometimes called BurntCigar) is a malicious kernel driver used in conjunction with a loader named Stonestop... The driver bypasses Driver Signature Enforcement by using any of the three techniques described above.

Poortry has evolved into something akin to a rootkit that also has with finite controls over a number of different API calls used to control low-level operating system functionality.

The second version was VMProtected and signed through the WHQL signing process. The third version was also signed through the WHQL signing process, but was protected with an unidentified packer.

Before reading from the file, STONESTOP verifies the file’s integrity against a predefined MD5 hash... reads process names from an external configuration file named, for example, poyuo.pdata.

Poortry now can also delete critical EDR components completely, instead of simply terminating their processes... The loader contains a list of hardcoded paths pointing at the location where EDR products are installed... and deletes files critical to the EDR agent, such as EXE files or DLL files.

SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions... a threat actor utilizing a Microsoft signed malicious driver to attempt evasion of multiple security products. | The toolkit contains simple protection mechanisms used to prevent its repurpose, reuse, and redistribution... STONESTOP functions as both a loader/installer for POORTRY.

SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions... a threat actor utilizing a Microsoft signed malicious driver to attempt evasion of multiple security products.

In general there are three ways EDR killer developers abuse code signatures: Abuse of leaked certificates... Signature timestamp forgery... Bypassing Microsoft attestation signing.

First, the user-mode component sends multiple I/O requests with IOCTL code 0x222144 to the kernel-mode component, including the process id of the process to kill.

“download tools… use the WebClient.DownloadString() method to download Cobalt Strike beacons… [T1105]”

In August 2023, during a Sophos X-Ops investigation, we found that attackers gained initial access via a remote access tool named SplashTop.

The file-tampering functionality features the capability to overwrite files... IOCTL 0x22218c Used to overwrite target files. This routine expects two parameters: a destination file path to overwrite, and a source path to read from.

First, the user-mode component sends multiple I/O requests with IOCTL code 0x222144 to the kernel-mode component, including the process id of the process to kill.

The second phase is focused on disabling EDR products through a series of different techniques, such as removal or modification of kernel notify routines... Poortry disables installed kernel callbacks through a series of different techniques.

Some new TTPs have also been employed in recent attacks, including... abusing kernel drivers to disable defenses... a signed 'helper' driver ... used to terminate the processes in the list.