Windows’ Driver Signature Enforcement, the policy requiring all kernel-mode drivers to be digitally signed by a trusted Certificate Authority (CA), doesn’t check certificate revocation lists at kernel load time. Researchers noted this to be a legacy behavior that remains exploitable because of backward compatibility features introduced years ago that allow an exception for drivers signed with certificates issued before July 29, 2015, that chain to a supported cross-signed CA.
The EnCase driver contains a timestamp from a VeriSign service, which the authentication check still considers valid. “When code is signed with a timestamp, Windows validates the signature against the time the signature was created, not the current date,” the researchers noted. “Because the driver was timestamped while the certificate was still valid (before January 31, 2010), the signature remains valid indefinitely, even though the certificate has since expired.”
Once in the kernel, the driver exposes an IOCTL interface that lets the malware terminate arbitrary processes with full system privileges. Among the functionality exposed are process termination commands that bypass user-mode safeguards for Protected Process Light (PPL) processes, the defenses EDR systems depend on to avoid tampering.
