Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
RegPhantom is a stealth-focused Windows kernel rootkit that allows low-privileged user-mode processes to run arbitrary code in kernel space through a hidden registry-based command channel. The driver is signed with valid certificates, relies on reflective PE loading, and removes execution artifacts once its job is complete. Its architecture is built to evade driver signature enforcement controls while avoiding persistent files or registry entries. Effective detection therefore depends on identifying the driver binary itself and the distinctive code patterns it contains.
Investigation
The research reviewed several signed and unsigned .sys samples gathered between June and August 2025, exposing a shared CFG-obfuscated code base and a registry interception mechanism built on CmRegisterCallback. The driver decrypts a 56-byte XOR-protected payload, reflectively maps it into kernel memory, executes it, and then wipes the evidence. Sample chronology and certificate usage point to continued development activity associated with a China-linked threat actor.
Mitigation
Security teams should block untrusted kernel drivers, watch for suspicious use of CmRegisterCallback and PsSetCreateThreadNotifyRoutine, and enforce launch-time integrity validation for driver files. YARA rules should be deployed to match the driver’s unique byte sequences, while strict code-signing enforcement should remain in place. Monitoring for unusual registry write failures, especially repeated access-denied events, may also expose the covert communication channel.
Response
If RegPhantom is discovered, isolate the affected endpoint, delete the malicious driver, and capture a full kernel memory dump for deeper forensic review. Revoke any abused signing certificates and update trusted certificate stores as needed. Threat hunting should then focus on the driver’s registry interception behavior across the environment, followed by remediation of all potentially exposed Windows systems.
"graph TB %% Class Definitions Section classDef technique fill:#ffcc99 classDef action fill:#99ccff classDef operator fill:#ff9900 classDef builtin fill:#cccccc %% Node definitions step_persistence["<b>Step</b> – Persistence via signed malicious driver loaded at boot using a valid codeu2011signing certificate."] class step_persistence action tech_boot_autostart["<b>Technique</b> – <b>T1547.009 Kernel Drivers and Modules</b><br/>Load malicious driver at system start to achieve persistence and obtain kernelu2011mode privilege."] class tech_boot_autostart technique tech_code_signing["<b>Technique</b> – <b>T1553.002 Subvert Trust Controls: Code Signing</b><br/>Leverage a legitimate codeu2011signing certificate to bypass driver signature enforcement."] class tech_code_signing technique tech_priv_esc["<b>Technique</b> – <b>T1068 Exploitation for Privilege Escalation</b><br/>Kernel driver grants systemu2011level privileges to attacker code.""" class tech_priv_esc technique step_hook_registration["<b>Step</b> – Driver registers system callbacks to hide its presence and intercept operations."] class step_hook_registration action tech_rootkit["<b>Technique</b> – <b>T1014 Rootkit</b><br/>Install kernelu2011mode rootkit components and hook callbacks to conceal malicious activity."] class tech_rootkit technique step_registry_channel["<b>Step</b> – Covert command channel using registry writes intercepted and decrypted by the driver."] class step_registry_channel action tech_query_registry["<b>Technique</b> – <b>T1012 Query Registry</b><br/>Read registry values to receive commands or configuration data.""" class tech_query_registry technique tech_deobfuscate["<b>Technique</b> – <b>T1140 Deobfuscate/Decode Files or Information</b><br/>Decrypt XORu2011encrypted payload retrieved from registry.""" class tech_deobfuscate technique step_reflective_load["<b>Step</b> – Load reflective PE payload into kernel memory using custom loader."] class step_reflective_load action tech_reflective_loading["<b>Technique</b> – <b>T1620 Reflective Code Loading</b><br/>Load and execute code directly from memory without touching disk.""" class tech_reflective_loading technique step_memory_wipe["<b>Step</b> – Wipe allocated memory and remove temporary artifacts after execution."] class step_memory_wipe action tech_clear_persistence["<b>Technique</b> – <b>T1070.009 Clear Persistence</b><br/>Delete traces of loaded modules and related persistence artifacts.""" class tech_clear_persistence technique step_hook_hijack["<b>Step</b> – Payload hijacks driver hook pointers to maintain persistence and further hide activity."] class step_hook_hijack action %% Connections showing flow step_persistence –>|uses| tech_boot_autostart step_persistence –>|subverts| tech_code_signing step_persistence –>|enables| tech_priv_esc step_persistence –>|leads_to| step_hook_registration step_hook_registration –>|implements| tech_rootkit step_hook_registration –>|leads_to| step_registry_channel step_registry_channel –>|accesses| tech_query_registry step_registry_channel –>|performs| tech_deobfuscate step_registry_channel –>|leads_to| step_reflective_load step_reflective_load –>|executes| tech_reflective_loading step_reflective_load –>|leads_to| step_memory_wipe step_memory_wipe –>|clears| tech_clear_persistence step_memory_wipe –>|leads_to| step_hook_hijack step_hook_hijack –>|maintains| tech_rootkit "
Attack Flow
Detections
Possible BYOVD – Bring Your Own Vulnerable Driver Attack (via audit)
View
Possible BYOVD – Bring Your Own Vulnerable Driver Attack (via file_event)
View
IOCs (HashSha256) to detect: RegPhantom Backdoor Threat Analysis Part 1
View
IOCs (HashSha256) to detect: RegPhantom Backdoor Threat Analysis Part 2
View
Detect RegPhantom Registry Callback Registration [Windows Registry Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands
- Objective: Emulate RegPhantom’s attempt to register a kernel‑mode registry callback that will intercept credential‑related registry operations.
- Method: Load a minimal, deliberately failing driver that calls
CmRegisterCallbackwith a callback routine pointing toRegNtPreSetValueKey. The driver intentionally passes a malformed registration structure that results inSTATUS_ACCESS_DENIED. - Outcome: Sysmon logs EventID 13 with
TargetObjectcontaining bothCmRegisterCallbackandRegNtPreSetValueKey,DetailsreportingData size exactly 56 bytes (0x38), andStatusset toSTATUS_ACCESS_DENIED.
-
Regression Test Script (PowerShell + embedded C driver source – compile on the target host)
# -------------------------------------------------------------- # Step 1: Write the minimal driver source to disk # -------------------------------------------------------------- $driverSource = @" #include <ntddk.h> // Dummy callback – never called NTSTATUS DummyCallback( _In_ PVOID CallbackContext, _In_ PVOID Argument1, _In_ PVOID Argument2 ) { UNREFERENCED_PARAMETER(CallbackContext); UNREFERENCED_PARAMETER(Argument1); UNREFERENCED_PARAMETER(Argument2); return STATUS_SUCCESS; } extern "C" NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath) { UNREFERENCED_PARAMETER(DriverObject); UNREFERENCED_PARAMETER(RegistryPath); // Intentionally use a wrong size (56 bytes) and request a callback registration // that will be rejected with STATUS_ACCESS_DENIED. UNICODE_STRING altitude = RTL_CONSTANT_STRING(L"1234.5678.90ab"); LARGE_INTEGER cookie = {0}; // Force a failure by passing a null callback pointer (simulates a malformed request) NTSTATUS status = CmRegisterCallback(DummyCallback, NULL, &cookie); // Overwrite status to mimic the exact condition RegPhantom sees status = STATUS_ACCESS_DENIED; // 0xC0000022 // Keep the driver loaded for a short period to allow Sysmon to capture the event LARGE_INTEGER interval; interval.QuadPart = -10 * 1000000; // 1 second KeDelayExecutionThread(KernelMode, FALSE, &interval); // Unregister before unload CmUnregisterCallback(cookie); return STATUS_SUCCESS; } "@ $srcPath = "$env:TEMPRegPhantomStub.c" $srcPath | Set-Content -Value $driverSource -Encoding ASCII # -------------------------------------------------------------- # Step 2: Compile the driver (requires Visual Studio Build Tools) # -------------------------------------------------------------- Write-Host "Compiling driver – requires Windows Driver Kit (WDK) and VS Build Tools." $compileCmd = "cl /nologo /W3 /WX- /O2 /DUNICODE /D_UNICODE /Zi /MD /LD $srcPath /link /OUT:`"$env:TEMPRegPhantomStub.sys`"" & cmd /c $compileCmd # -------------------------------------------------------------- # Step 3: Load the driver (must run as Administrator) # -------------------------------------------------------------- Write-Host "Loading driver to trigger the registration attempt..." $driverPath = "$env:TEMPRegPhantomStub.sys" sc create RegPhantomStub binPath= $driverPath type= kernel start= demand sc start RegPhantomStub # -------------------------------------------------------------- # Step 4: Give Sysmon time to ingest the event # -------------------------------------------------------------- Start-Sleep -Seconds 5 # -------------------------------------------------------------- # Step 5: Unload and delete the driver # -------------------------------------------------------------- sc stop RegPhantomStub sc delete RegPhantomStub Remove-Item -Path $driverPath -Force Remove-Item -Path $srcPath -Force Write-Host "Simulation complete. Verify detection in your SIEM." -
Cleanup Commands (if the driver could not be compiled or loaded)
# Ensure any partially created driver service is removed if (Get-Service -Name RegPhantomStub -ErrorAction SilentlyContinue) { sc stop RegPhantomStub sc delete RegPhantomStub } # Remove residual files Remove-Item -Path "$env:TEMPRegPhantomStub.*" -Force -ErrorAction SilentlyContinue