87e9a8db-ba56-4e89-829f-ecc5fc01f848
Attackers can downgrade Windows kernel components to bypass security features such as Driver Signature Enforcement and deploy rootkits on fully patched systems.
This is possible by taking control of the Windows Update process to introduce outdated, vulnerable software components on an up-to-date machine without the operating system changing the fully patched status.
This script will check the Code Integrity DLL (ci.dll) to be at the correct version number (not downgraded)
Keep windows updated. If is at the latest version computer may be compromised.
More information:
https://www.bleepingcomputer.com/news/security/new-windows-driver-signature-bypass-allows-kernel-rootkit-installs/
https://www.elastic.co/security-labs/false-file-immutability
Downgrade allows to exploits already patched security vulnerabilities like: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21302 and https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38202