Listen to this Post
Introduction:
A new offensive security tool named ValleyTerminator has emerged, leveraging a known vulnerability in the NsecSoft kernel driver to terminate Antivirus (AV) and Endpoint Detection and Response (EDR) processes. This technique, actively used by threat actors like the Silverfox Group, represents a significant escalation in the cat-and-mouse game between attackers and defenders, highlighting critical weaknesses in kernel-level security.
Learning Objectives:
- Understand the exploit chain used by ValleyTerminator to disable security software.
- Learn defensive commands and configurations to detect and mitigate vulnerable driver attacks.
- Implement advanced auditing and hardening techniques to protect against kernel-level exploits.
You Should Know:
1. Identifying and Listing Loaded Kernel Drivers
The first step in defense is discovery. Attackers scan for vulnerable drivers; defenders must do the same to identify potential threats.
`PS C:\> Get-WmiObject Win32_SystemDriver | Select-Object Name, State, PathName | Where-Object {$_.State -eq “Running”} | Format-List`
This PowerShell command queries all system drivers, filters for those currently running, and lists their names and file paths. Regularly audit this list against known-good baselines and watch for unknown or suspicious drivers, especially those without digital signatures.
2. Verifying Driver Digital Signatures
A primary indicator of a malicious or vulnerable driver is an invalid signature.
`PS C:\> Get-AuthenticodeSignature -FilePath “C:\Path\To\Driver.sys” | Format-List`
This cmdlet checks the Authenticode signature of a specific driver file. A Status of “Valid” is good; “NotSigned” or “UnknownError” requires immediate investigation. Automate this check across all drivers in your environment.
- Auditing for Driver Load Events with Windows Event Log
Windows Event Log can be configured to log every time a driver is loaded, which is crucial for detection.
`Wevtutil.exe set-log “Microsoft-Windows-Kernel-PnP/Driver Watch” /enabled:true`
This command enables detailed driver installation and load auditing. After enabling, you can query Event ID 2003 (Driver loaded) in the “Microsoft-Windows-Kernel-PnP/Driver Watch” operational log to see all driver load activity in real-time.
- Blocking Known-Bad Drivers via Windows Defender Application Control (WDAC)
Proactively block drivers based on their hash or publisher, preventing them from loading.
`
`
This is a simplified WDAC policy XML snippet that denies a specific driver by its SHA256 hash. Compile and deploy this policy using `ConvertFrom-CIPolicy` and `Deploy-CIPolicy` PowerShell cmdlets to enforce it across endpoints.
5. Hunting for Process Termination Events
ValleyTerminator works by terminating AV/EDR processes. Hunting for these events is key.
`PS C:\> Get-WinEvent -FilterHashtable @{LogName=’Security’; ID=4689; Data=”ProcessName.exe”} | Select-Object -First 10`
This command searches the Security event log for Event ID 4689 (A process has exited) and filters for a specific process name (e.g., your EDR agent). A sudden, unexpected termination of a critical security process is a high-fidelity alert.
6. Linux Equivalent: Auditing Kernel Module Loading
The principle applies to Linux; auditing module loads is critical for integrity.
` auditctl -w /usr/sbin/modprobe -p x -k kernel-module-loading`
This `auditctl` command adds a watch rule (-w) on the `modprobe` binary, triggering an audit event (-k kernel-module-loading) whenever it is executed (-p x). Monitor the audit log (/var/log/audit/audit.log) for these events to detect unauthorized module loading.
7. Implementing Sysmon for Enhanced Process Termination Logging
System Monitor (Sysmon) provides superior logging detail for security investigations.
`
MsMpEng.exe
CrowdStrike.exe
`
This Sysmon configuration rule (within the `ProcessTerminate` event) generates a log (Event ID 5) when specified critical security processes are terminated. Correlate these events with the parent process to identify the termination source.
What Undercode Say:
- Kernel Trust is the New Battleground: This exploit underscores that the kernel, the most trusted part of the OS, is now a primary attack vector. Security strategies must evolve beyond userland protections.
- Detection Over Blind Prevention: While blocking known-bad drivers is good, advanced attackers will use stolen or forged signatures. Robust auditing and anomaly detection in driver load behavior are non-negotiable for a mature security posture.
The ValleyTerminator tool is not an isolated novelty but a symptom of a broader trend. Offensive tooling is becoming increasingly sophisticated, leveraging legitimate software flaws to achieve their goals. This moves the defense perimeter from simply detecting malicious files to deeply understanding system behavior and kernel-level interactions. The fact that this technique is linked to active threat groups like Silverfox means it’s not just theoretical; it’s in active play. Defenders must shift their focus from purely preventative measures to assume-breach detection strategies, meticulously monitoring for the subtle signs of kernel-level manipulation and subsequent security service disruption. The time to implement these auditing controls was yesterday.
Prediction:
The success of tools like ValleyTerminator will catalyze a surge in kernel-level exploit development and usage by both state-sponsored and cybercriminal groups. We will see an arms race in vulnerable driver exploitation (LOLDriving), forcing EDR vendors to develop deeper, more resilient hooks within the Windows kernel and potentially leading to a industry-wide shift towards hardware-based security like Intel CET and Microsoft’s Pluton security processor to verify the integrity of kernel code execution. Failure to adapt will leave organizations critically exposed to attacks that can silently disarm their entire security infrastructure.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mertdas Valleyterminator – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
