Doug Bienstock

During an Incident Response investigation, Mandiant discovered a malicious driver used to terminate select processes on Windows systems. In this case, the driver was used in an attempt to terminate the Endpoint Detection and Response (EDR) agent on the endpoint. Mandiant tracks the malicious driver and its loader as POORTRY and STONESTOP respectively. Soon after the initial discovery, Mandiant observed a POORTRY driver sample signed with a Microsoft Windows Hardware Compatibility Authenticode signature.

Careful analysis of the driver’s Authenticode metadata led to a larger investigation into malicious drivers signed via the Windows Hardware Compatibility Program. The investigation found a wider issue:

The malicious drivers are signed directly by Microsoft and identifying the original software vendor requires inspecting the signature with code
Several distinct malware families, associated with distinct threat actors, have been signed with this process Mandiant identified at least nine unique organization names associated with attestation signed malware

Mandiant will discuss the abuse of signed of malware, hunting methodologies to detect and escalate these samples, and the impact these findings had.

While a portion of the content being proposed was released publicly via Mandiant blog “I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware”, the main discussion points were not released and will discuss how the hunting methodology was used.