GhostHook - Windows 10 Rootkit Technique

A new technique which could already be in use enables attackers to bypass Microsoft PatchGuard and as a result, it is believed there could be a return of the rootkit rarely seen on 64bit Windows systems.

Threat ID:: CC-1497
Category:: Exploit
Threat Severity:: Low
Threat Vector:
Published:: 29 June 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Threat details

Malware using this technique can execute code in the kernel and remain completely undetected. PatchGuard was developed with the aim of preventing users from being able to patch the kernel and in turn, preventing rootkit installation at the kernel level. Along with memory protections built into Windows 10 , the effectiveness has been evident with no rootkits seen to date able to bypass these protections. Researchers behind the GhostHook project claim they may have discovered a technique that brings attackers one step closer to bringing rootkits to Windows 10.

The technique allows exploitation of Microsoft's implementation of the Intel PT API, a function released to allow security vendors to hook into PatchGuard and ultimately monitor commands executed in the CPU allowing attacks to be discovered before reaching the operating system.

GhostHook allows code executed in the kernel to go completely unnoticed by security products that rely on Intel PT by bypassing the protection put in place.

With access to the GhostHook technique, an attacker could use it to hook a rootkit directly into the kernel that could gain persistence and continue operating indefinitely, unnoticed by anti-malware, firewalls and host-based intrusion detection systems.

Microsoft have stated they will not be publishing a patch for GhostHook as it is not seen as a intrusion or privilege escalation vulnerability. Instead, to be able to write to the kernel as needed by the technique, an attacker would need to have already gained administrator privileges on the target device and hence Microsoft would deem to the system already compromised at this stage.

Remediation steps

Type	Step
	As Microsoft will not be releasing a patch at this stage, to mitigate the impact that GhostHook presents it is suggested that the best chance for mitigation will come from vendor’s whose products rely on the functionality affected by GhostHook. Therefore users are advised to contact host based protection vendors in order to ascertain if they are affected and if and when patches are expected to be released. As the technique requires administrator access, prior intrusion would already have had to have taken place with delivery likely from phishing emails, malicious websites, removable media etc. Therefore, standard mitigation in the form of awareness of potential phishing campaigns and dangers of opening attachments etc. should be maintained to aid in mitigating the threat.

Type

Step

As Microsoft will not be releasing a patch at this stage, to mitigate the impact that GhostHook presents it is suggested that the best chance for mitigation will come from vendor’s whose products rely on the functionality affected by GhostHook. Therefore users are advised to contact host based protection vendors in order to ascertain if they are affected and if and when patches are expected to be released.

As the technique requires administrator access, prior intrusion would already have had to have taken place with delivery likely from phishing emails, malicious websites, removable media etc. Therefore, standard mitigation in the form of awareness of potential phishing campaigns and dangers of opening attachments etc. should be maintained to aid in mitigating the threat.

Last edited: 17 February 2020 11:31 am