From df8da70eb4539dddad1d3590af88f9f319b12bc3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 27 Jul 2022 08:48:44 +0200 Subject: [PATCH 1/3] docs: description change --- rules/windows/driver_load/driver_load_vuln_hw_driver.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/driver_load/driver_load_vuln_hw_driver.yml b/rules/windows/driver_load/driver_load_vuln_hw_driver.yml index ad4f20da5..b213f2b9d 100644 --- a/rules/windows/driver_load/driver_load_vuln_hw_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_hw_driver.yml @@ -1,7 +1,7 @@ title: Vulnerable HW Driver Load id: 9bacc538-d1b9-4d42-862e-469eafc05a41 status: experimental -description: Detects the load of a legitimate signed driver often used by threat actors or malware for privilege escalation +description: Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation author: Florian Roth references: - https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/ From c2ea6079e77234951ffad474eab65f9580fb4d6e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 27 Jul 2022 08:52:40 +0200 Subject: [PATCH 2/3] refactor: Dell driver refactoring --- .../driver_load_vuln_dell_driver.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml index 15439f86e..870146fa6 100644 --- a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml @@ -4,6 +4,7 @@ description: Detects the load of the vulnerable Dell BIOS update driver as repor status: experimental author: Florian Roth date: 2021/05/05 +modified: 2022/07/27 references: - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ logsource: @@ -16,15 +17,25 @@ tags: detection: selection_image: ImageLoaded|contains: '\DBUtil_2_3.Sys' - selection_hash: + selection_sysmon: Hashes|contains: + - 'SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5' + - 'SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1' + - 'SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD' + - 'SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25' + - 'MD5=C996D7971C49252C582171D9380360F2' + - 'MD5=D2FD132AB7BBC6BBB87A84F026FA0244' + selection_hash: + SHA256: - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5' - - 'c948ae14761095e4d76b55d9de86412258be7afd' - - 'c996d7971c49252c582171d9380360f2' - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1' + SHA1: + - 'c948ae14761095e4d76b55d9de86412258be7afd' - '10b30bdee43b3a2ec4aa63375577ade650269d25' + MD5: + - 'c996d7971c49252c582171d9380360f2' - 'd2fd132ab7bbc6bbb87a84f026fa0244' - condition: selection_image or selection_hash + condition: 1 of selection* falsepositives: - Legitimate BIOS driver updates (should be rare) level: high From 27061cd0ac0a188cefaa4c34d34bf3044f352093 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 27 Jul 2022 08:58:46 +0200 Subject: [PATCH 3/3] refactor: windivert driver load update --- .../driver_load/driver_load_windivert.yml | 47 ++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/rules/windows/driver_load/driver_load_windivert.yml b/rules/windows/driver_load/driver_load_windivert.yml index 3f3de4609..c806b7e6c 100644 --- a/rules/windows/driver_load/driver_load_windivert.yml +++ b/rules/windows/driver_load/driver_load_windivert.yml @@ -4,6 +4,7 @@ status: experimental description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows author: Florian Roth date: 2021/07/30 +modified: 2022/07/27 references: - https://reqrypt.org/windivert-doc.html - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ @@ -20,7 +21,51 @@ detection: ImageLoaded|contains: - '\WinDivert.sys' - '\WinDivert64.sys' - condition: selection + # Other used names + - '\NordDivert.sys' + - '\lingtiwfp.sys' + - '\eswfp.sys' + selection_sysmon: + Hashes|contains: + - 'IMPHASH=0604bb7cb4bb851e2168d5c7d9399087' + - 'IMPHASH=2e5f0e649d97f32b03c09e4686d0574f' + - 'IMPHASH=52f8aa269f69f0edad9e8fcdaedce276' + - 'IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76' + - 'IMPHASH=58623490691babe8330adc81cd04a663' + - 'IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b' + - 'IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96' + - 'IMPHASH=a1b2e245acd47e4a348e1a552a02859a' + - 'IMPHASH=2a5f85fe4609461c6339637594fa9b0a' + - 'IMPHASH=6b2c6f95233c2914d1d488ee27531acc' + - 'IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342' + - 'IMPHASH=d8a719865c448b1bd2ec241e46ac1c88' + - 'IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38' + - 'IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6' + - 'IMPHASH=a74929edfc3289895e3f2885278947ae' + - 'IMPHASH=a66b476c2d06c370f0a53b5537f2f11e' + - 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4' + - 'IMPHASH=c28cd6ccd83179e79dac132a553693d9' + selection_hashes: + IMPHASH: + - '0604bb7cb4bb851e2168d5c7d9399087' + - '2e5f0e649d97f32b03c09e4686d0574f' + - '52f8aa269f69f0edad9e8fcdaedce276' + - 'c0e5d314da39dbf65a2dbff409cc2c76' + - '58623490691babe8330adc81cd04a663' + - '8ee39b48656e4d6b8459d7ba7da7438b' + - '45ee545ae77e8d43fc70ede9efcd4c96' + - 'a1b2e245acd47e4a348e1a552a02859a' + - '2a5f85fe4609461c6339637594fa9b0a' + - '6b2c6f95233c2914d1d488ee27531acc' + - '9f2fdd3f9ab922bbb0560a7df46f4342' + - 'd8a719865c448b1bd2ec241e46ac1c88' + - '0ea54f8c9af4a2fe8367fa457f48ed38' + - '9d519ae0a0864d6d6ae3f8b6c9c70af6' + - 'a74929edfc3289895e3f2885278947ae' + - 'a66b476c2d06c370f0a53b5537f2f11e' + - 'bdcd836a46bc2415773f6b5ea77a46e4' + - 'c28cd6ccd83179e79dac132a553693d9' + condition: 1 of selection* falsepositives: - Legitimate WinDivert driver usage level: high