Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

NSecKrnl.sys

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Persistence

1 technique
T1543.003Windows ServiceEvidence1

"C:\Program Files (x86)\cloudflared\cloudflared.exe" service install <TOKEN> ... First, the loader created a kernel driver service using the vulnerable NSecKrnl.sys driver: sc create NSecKrnl binPath= "c:\users\[REDACTED]\NSecKrnl.sys" type=filesys

Privilege Escalation

2 techniques
T1068Exploitation for Privilege EscalationEvidence2

Threat actors associated with Qilin and Warlock ransomware operations have been observed using the bring your own vulnerable driver (BYOVD) technique to silence security tools running on compromised hosts.

T1543.003Windows ServiceEvidence1

"C:\Program Files (x86)\cloudflared\cloudflared.exe" service install <TOKEN> ... First, the loader created a kernel driver service using the vulnerable NSecKrnl.sys driver: sc create NSecKrnl binPath= "c:\users\[REDACTED]\NSecKrnl.sys" type=filesys

Stealth

1 technique
T1211Exploitation for Defense EvasionEvidence1

the file that was renamed to TrendSecurity.exe functioned as a loader that exploited the vulnerable NSecKrnl.sys driver to continuously terminate security processes.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

These methods include exploiting the Nsec driver with a new BYOVD technique as well as using the remote-access tool TightVNC and the reverse-proxy tool Yuze...

Other

1 technique
T1562Impair DefensesEvidence3

The DLL loader implements an array of techniques to evade detection. It neutralizes user-mode hooks, suppresses Event Tracing for Windows (ETW) event logs... Once launched, the malware makes use of two drivers... to terminate processes associated with over 300 different EDR drivers.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.