312-50V10 · Question #309
How can a rootkit bypass Windows 7 operating system's kernel mode, code signing policy?
The correct answer is D. Attaching itself to the master boot record in a hard drive and changing the machine's boot. A bootkit attaches to the Master Boot Record and runs before the OS loads, bypassing Windows 7 kernel code signing enforcement entirely.
Question
How can a rootkit bypass Windows 7 operating system's kernel mode, code signing policy?
Options
- ADefeating the scanner from detecting any code change at the kernel
- BReplacing patch system calls with its own version that hides the rootkit (attacker's) actions
- CPerforming common services for the application process and replacing real applications with fake
- DAttaching itself to the master boot record in a hard drive and changing the machine's boot
How the community answered
(47 responses)- A17% (8)
- B9% (4)
- C4% (2)
- D70% (33)
Why each option
A bootkit attaches to the Master Boot Record and runs before the OS loads, bypassing Windows 7 kernel code signing enforcement entirely.
Defeating a scanner from detecting code changes describes anti-forensic obfuscation, not a technique for bypassing the kernel code signing policy.
Replacing system calls describes kernel hooking, which happens after the OS loads and would still be subject to code signing and PatchGuard checks.
Replacing real applications with fake ones describes user-mode trojan behavior, which does not operate at the kernel level and does not bypass code signing.
By embedding itself in the Master Boot Record, a bootkit executes during the pre-boot phase before the Windows kernel and its code signing enforcement mechanisms are initialized. This allows the rootkit to modify the boot sequence and load unsigned or malicious kernel-mode drivers that PatchGuard and Kernel Mode Code Signing would otherwise block. Because Windows security policies have not yet been loaded at MBR execution time, the bypass is structural rather than a software exploit of those policies.
Concept tested: MBR bootkit bypass of kernel code signing policy
Source: https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/rootkits-malware
Topics
Community Discussion
No community discussion yet for this question.