| ID | B0026 |
| Objective(s) | Lateral Movement, Persistence |
| Related ATT&CK Techniques | None |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 08 May 2023 |
Malicious network drivers can be installed on several machines on a network via an exploited server with high uptime. Once the drivers are installed on the host machines, they can re-infect the server if it is restarted (Persistence), can infect other machines on the network (Lateral Movement), and can redirect traffic on the network (Impact).
A malicious network driver can tunnel outside traffic into the network, allowing the attackers to access remote desktop sessions or to connect to servers inside the domain by using previously acquired credentials. Using the credentials, they can re-deploy the entire platform following a massive shutdown or power loss, causing the malware to persist on network-connected systems even after reboot. Persistence is attained after the information system connects to the server—the malware reinstalls itself on the server, with (re)infection of the remaining systems on the network ensuing.
| Name | Date | Method | Description |
|---|---|---|---|
| [Malicious NDISProxy drivers] | 2018 | -- | The LuckyMouse APT (aka APT27) spreads Trojans via malicious NDISProxy drivers. [1] |
[1] https://www.zdnet.com/article/luckymouse-targets-govt-entities-through-malicious-ndisproxy-driver/