CyberArk Labs Identifies “GhostHook” Technique That Bypasses PatchGuard in Windows OS

Today on CyberArk’s Threat Research Blog, CyberArk Labs has published details about a new attack technique that bypasses PatchGuard in Windows OS. For our business readers, we offer this executive summary with highlights of the potential security impact:

Up until now, we haven’t seen many successful rootkits on Windows 10 64-bit, thanks in large part to PatchGuard (Kernel Patch Protection). Research by CyberArk Labs has uncovered an attack technique called GhostHook in the Windows OS that can let an attacker bypass PatchGuard, making it easy for an attacker to gain rootkit abilities on Windows x64 OS machines. This attack technique gives cyber attackers full control over the network including the ability to intercept anything on the system.

More than 400 million devices worldwide currently run on Windows 10. GhostHook is the first attack technique identified that will bypass PatchGuard – giving attackers the ability to take full control over 64-bit systems at the kernel level.

Attackers will now be able to go completely unnoticed by all security measures that rely on retrieving reliable information from the OS Kernel – this includes AV, personal firewalls, HIPS, and many next-gen endpoint products.

Attackers can now easily bury a rootkit in the kernel – completely undetectable to security solutions and invisible to MSFT’s PatchGuard itself. This attack technique could also lead to the proliferation of more sophisticated, 64-bit malware – typically used in APT campaigns by nation states.

Of note, 64-bit malware currently makes up less than 1% of the current threat landscape. 64-bit malware includes Shamoon, the disk-wiping malware used on Saudi Aramco, and Flame. Both examples are country-grade espionage malware.

Please read the original post for the full technical details and Microsoft’s response to the reported vulnerability.



Keep up-to-date on security best practices, events and webinars.

Share This