Threat actors circumvent security checks by using malicious kernel-mode hardware drivers approved by Microsoft’s Windows Hardware Developer Program. On systems where the attacker already had administrator rights, these drivers are being used in post-exploitation operations.
Microsoft received information that numerous Microsoft Partner Center developer accounts were involved in uploading fraudulent hardware drivers in order to get a Microsoft signature. Two new tools, STONESTOP and POORTRY, were discovered by Mandiant and SentinelOne. The linked protected processes or Windows services are terminated by STONESTOP using the POORTRY driver, which is signed by Microsoft.