Detecting and Hunting for the Malicious NetFilter Driver

Category:  Detection and Threat Hunting

Overview

During the week of June 21st, 2021, information security researchers from G Data discovered that a driver for Microsoft Windows named “netfilter.sys” had a backdoor added by a 3rd party that Microsoft then signed as a part of the Microsoft OEM program.  The malicious file is installed on a victim’s system as a component of an attack as part of the post-exploitation process. This means that the attacker must either have gained administrative privileges or already had access to run the installer to update the registry and install the malicious driver. This can occur during the post-exploitation process or set up to install the next time the system starts. Additionally, the victim can be convinced to install the driver as part of a pretexting attack.  At present, Microsoft has not seen the enterprise environment targeted, rather individual users at this time.

The following details are provided to assist organizations in detecting and threat hunting for this specific threat and other similar types of threats.

Investigating Malicious Drivers

Several tools can be used to check systems for indications of malicious drivers.  For example, tools such as SysInternals Autoruns and LOG-MD can investigate autoruns or persistence entries, with drivers being one type of persistence on a Windows server and workstation systems.

On a Windows system, drivers tend to be loaded from typically three locations:

  • C:\Windows\System32\Drivers
  • C:\WINDOWS\system32\DriverStore\FileRepository
  • Applications installed directory typically under “Program Files” or “Program Files x86”.

The malicious netfilter driver, in this case, can be found in a folder that drivers should never exist.  The odd driver location is a good artifact for execution detection and threat hunting. Any binary found in the following folder should be investigated:

  • %AppData% – C:\Users\<username>\AppData\Roaming

Windows also provides a built-in utility “driverquery” that can list the drivers, the state of the driver (running or stopped), and the driver’s key (location from which the driver was loaded).  To get a list of all the drivers of a system into CSV format that can then be opened in Microsoft Excel, execute the following command in an administrative command prompt:

  • driverquery /v /fo CSV | find /i /v “system32\drivers\” | find /i /v “driverstore” > C:\Windows\Temp\Driver_List_%computername%.csv

This command will filter out the two primary locations drivers are loaded, providing a short list of drivers on the system that should be investigated.  This command also includes the name of the system appended to the output filename to allow for easier review of artifacts collected from multiple systems.

Detection

Detecting the netfilter driver and similar malicious payloads is as simple as looking for binaries and drivers loaded from atypical locations. Add a rule to your SIEM, log management, EDR, or similar security tooling that looks for process execution (event ID 4688 of the Windows security log) from the following locations:

  • C:\Program Files
  • C:\Program Files x86
  • C:\ProgramData
  • %AppData% – C:\Users\<username>\AppData\Roaming
  • %LocalAppData% – C:\Users\<username>\AppData\Local

In order to collect event ID 4688, the Windows Advanced Audit Policy will need to have the following policy enabled:

  • Detailed Tracking – Audit Process Creation

We hope this information can assist in your detection and threat hunting efforts to detect this and similar types of attacks.

IOCs

The following indicators of compromise (IOCs) are provided to help in detection and threat hunting activities.

Folders the file(s) can be found

  • %AppData% – C:\Users\<username>\AppData\Roaming

Filenames

  • Netfilter.sys
  • Sdl.sys
  • File.sys

IP Addresses

  • 110.42.4[.]180
  • 45.113.202[.]180

File Hashes

  • 04a269dd0a03e32e5b2a1c8ab0768791962e040d080d44dc44dab01dd7954f2b
  • 0856a1da15b2b3e8999bf9fc51bbdedd4051e21fab1302e2ce766180b4931d86
  • 0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5
  • 0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec
  • 115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406
  • 12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df
  • 12c0002af719c6abbc1e726b409fce099fffb90f758477f5295c152bde504caa
  • 16b6be03495a4f4cf394194566bb02061fba2256cc04dcbde5aa6a17e41b7650
  • 18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1
  • 1aa8ba45f9524847e2a36c0dc6fd80162923e88dc1be217dde2fb5894c65ff43
  • 1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af
  • 1d1f7e26109e6cb28c6b369c937b407d7b0cce3c4800ce9852eda94742b12259
  • 1d60819f0ab8547dcd4eb18d39a0c317ec826332afa19c0a6af94bc681a21f14
  • 1f05f74ebae7e65d389703d423445ffb269e657d8278b0523417e1f72b0228eb
  • 1f90d9c4d259c1fde4c7bb66a95d71ea0122e4dfb75883a6cb17b5c80ce6d18a
  • 22da5a055b7b17c69def9f5af54e257c751507e7b6b9a835fcf6245ab90ae750
  • 22f6fe6bd62fb03f7aee489cccbc918999f49596052ac0153c02cd7a3320de13
  • 23c061933d471c1f959c77806098ec0528d9b1d0130689bb3f417dd843138468
  • 24ea733bae1b8722841fb4c6cead93c4c4f0b1248ca9a21601b1ce6b95b06864
  • 26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe
  • 26f2b9cf6e0fb50bad49a367bee63e808f1d53c476b38642d13c7db6e50687f4
  • 2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3
  • 314affdc86f62c8f8069ccd50a2cdf73bcd319773a031be700ba97a1ea4129a8
  • 34c890fa43ca0e5165a4960549828ba43d7f48a216a22fc46204548ebfc34f72
  • 3700b38d63d426ff0a985226b45eca6e24d052f4262d12aff529e62c2cb889c3
  • 40c45c9b1c764777096b59f99ae524cbd25b88c805187e615c3ed6840f3d4c15
  • 45ee083e28fbb33afa41b1b8cd00d94c29dea8cb7cee70bae4079e6c3dfb5501
  • 4ce61ad21f186cf10dbcc253feee31262203cb5c12c5a140d2dda5447c57aba1
  • 516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13
  • 5cb1dc26159c6700d6cadece63f6defda642ec1a6d324daefb0965b4e3746f70
  • 5d0d5373c5e52c4405f4bd963413e6ef3490b7c4c919ec2d4e3fb92e91f397a0
  • 62d7c5465852cdb7b59a86c20b4de5991c8f4820ce11a7c01cf0dde6032e500d
  • 630d7bdc20f33e6f822f52533a324865694886b7b74dfaad1dc30c9aee4260a2
  • 635273eaa4c2e20c4ec320c6c8447ce2e881984e97c9ed6aeec4fad16b934e81
  • 63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0
  • 640eeb3128ae5c353034ee29cb656d38c41353743396c1c936afd4d04a782087
  • 6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0
  • 6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660
  • 6a6db5febdaf3f1577bf97c6e1e24913e6c78b134062c02fd1f9875099c03a3f
  • 6c7f24d8ed000bc7ce842e4875b467f9de1626436e051bd351adf1f6f8bbacf8
  • 70b63dfc3ed2b89a4eb8a0aa6c26885f460e5686d21c9d32413df0cdc5f962c7
  • 79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617
  • 7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4
  • 8249e9c0ac0840a36d9a5b9ff3e217198a2f533159acd4bf3d9b0132cc079870
  • 8e0b330a8df3076153638f5b76afc24d1083ebccc60e4d63ee0df5c11c45d58a
  • 93d99a5fbfc888c0a40a18946933121ae110229dcf206b4d17116a57e7cf4dc9
  • 97030f3c81906334429afebbf365a89b66804ed890cd74038815ca18823d626c
  • 9b55b35284346bbcdc2754e60517e1702f0286770a080ee6ff3e7eed1cab812a
  • 9f9315790d0b0cc5213ac9a8eff0968cccc0a6c469b50d6598ce759748fe74bf
  • 9f9ebd6cd9b5b33ab2780122ee9c5feec84927f362890a062d13ef9816c7b85f
  • a0050c33c8263da02618872d642617959b3564fe173985e078bfedb89df93724
  • aa97f4f98ff842b1bfd78e920fcb1dedaec3f882dd19311bba6037430868e7a7
  • ad2dd8a68ce22d0959f341e9269e8033b34362b34bdea50b8ee2390907f1a610
  • b2cd9cca011064d03ddd8fe3521ce0e9f9d8b16f63e4ecaf03eacfef47d22dbf
  • b7516dca419d087ef844c42e061a834908f34e7363577ab128094973896222c8
  • b847e717215e0198cb4e863bd96390613f83eb92693171be50ca14255c5fb088
  • bbc58fd69ce5fed6691dd8d2084e9b728add808ffd5ea8b42ac284b686f77d9a
  • bfb4603902c6c9ff32bc36113280ee8b5687cc3ef4c0ff9fc56f2925c7f342f0
  • c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99
  • c2f23ad4e2f12c490cfd589764464e293d5d56c31b6b3f5081e2d677384cb2fe
  • c95af9eb52111b72563875d85d593d96d7e54e19690827a052377c77cc80e06f
  • caa0d9bb7ed2d21a76b71dfc22ffaef80371de8af2a03b8103cbcec332897a88
  • d0e1639e6386ef3c063bfae334fcc35cdfa85068ac1a65bb58f2463276c31ac9
  • d1ac4d07ba6fe1dd988c471975e49e35b83d03a9b9d626fa524fd8300b80b14a
  • d4335f4189240a3bcafa05fab01f0707cc8e3dd7a2998af734c24916d9e37ca8
  • d60fdabaf5a0ab375361d2ed1a9b39832bdb8bd33466d6c43d42a48ba2ffd274
  • e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37
  • e2449ccc74e745c0339850064313bdd8dc0eff17b3a4e0882184c9576ac93a89
  • e8e7f2f889948fd977b5941e6897921da28c8898a9ca1379816d9f3fa9bc40ff
  • edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed
  • ee6d0d0ea24be622521ee1a4defa5d5729b99ee2217ac65701d38d05dbc0d4e6
  • f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71
  • f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca
  • fd8a5313bf63f5013dc126620276fb4f0ef26416db48ee88cbaaca4029df1d73

Additional Reading