The signature is seen by the OS verification of the software's identity. For security reasons, Windows include a feature called Driver Signature Enforcement, which ensures that kernel-mode drivers have been signed by a valid code-signing authority before Windows lets them run. Though low-level system components, they can access critical security structures in the kernel memory. Three months later, SentinelOne researchers wrote about MalVirt, a tool that used the same Process Explorer driver.ĭrivers make attractive tools for cybercriminals. In November 2022, a criminal used Backstab to disable EDR processes before delivering LockBit. An open-source anti-malware tool called Backstab, first published in 2021, or a version of it has been used in attacks. This isn't the first time the Process Explorer driver was exploited to enable malware to bypass EDR systems.
0 kommentar(er)
