Update drivers list
This commit is contained in:
Nasreddine Bencherchali
@@ -12,8 +12,15 @@ references:
|
||||
- https://github.com/namazso/physmem_drivers
|
||||
- https://github.com/stong/CVE-2020-15368
|
||||
- https://github.com/CaledoniaProject/drivers-binaries
|
||||
- https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html
|
||||
- https://github.com/tandasat/ExploitCapcom
|
||||
- https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md
|
||||
- https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md
|
||||
- https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780
|
||||
- https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/
|
||||
- https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444
|
||||
date: 2022/08/18
|
||||
modified: 2022/10/03
|
||||
modified: 2022/10/10
|
||||
logsource:
|
||||
product: windows
|
||||
category: driver_load
|
||||
@@ -261,6 +268,18 @@ detection:
|
||||
- 'SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a'
|
||||
- 'SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332'
|
||||
- 'SHA1=4f7a8e26a97980544be634b26899afbefb0a833c'
|
||||
# https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html
|
||||
- 'SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7'
|
||||
- 'SHA1=a7e9a4686aa7291331e2c8708882c8d81d05264f'
|
||||
- 'SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a'
|
||||
- 'SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35'
|
||||
- 'SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02'
|
||||
- 'SHA1=fd833f3fe2fa396878033b9e6054725248bf9881'
|
||||
- 'SHA1=db446af0e34259e95f4db112a9f06177e1eef4e0'
|
||||
- 'SHA1=39d7b121bc654a0de891225e0f8b7b5537c24931'
|
||||
- 'SHA1=d0a228ed8af190dec0c1a812e212f5e68ee3b43e'
|
||||
- 'SHA1=7d2fc1a6729521e5c76f659e4c398e2061f7ed5e'
|
||||
- 'SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d'
|
||||
# The list below is from https://github.com/namazso/physmem_drivers
|
||||
- 'SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748'
|
||||
- 'SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA'
|
||||
@@ -499,6 +518,18 @@ detection:
|
||||
- 'SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b'
|
||||
- 'SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05'
|
||||
- 'SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433'
|
||||
# https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html
|
||||
- 'SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24'
|
||||
- 'SHA256=9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec'
|
||||
- 'SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd'
|
||||
- 'SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a'
|
||||
- 'SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0'
|
||||
- 'SHA256=e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220'
|
||||
- 'SHA256=1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b'
|
||||
- 'SHA256=029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df'
|
||||
- 'SHA256=1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557'
|
||||
- 'SHA256=c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522'
|
||||
- 'SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512'
|
||||
selection_other:
|
||||
- SHA1:
|
||||
# The list below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT
|
||||
@@ -742,6 +773,18 @@ detection:
|
||||
- '5fb9421be8a8b08ec395d05e00fd45eb753b593a'
|
||||
- 'b480c54391a2a2f917a44f91a5e9e4590648b332'
|
||||
- '4f7a8e26a97980544be634b26899afbefb0a833c'
|
||||
# https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html
|
||||
- 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7'
|
||||
- 'a7e9a4686aa7291331e2c8708882c8d81d05264f' #ATSZIO.sys
|
||||
- '7ba19a701c8af76988006d616a5f77484c13cb0a'
|
||||
- '4243dbbf6e5719d723f24d0f862afd0fcb40bc35'
|
||||
- '00b4e8b7644d1bf93f5ddb5740b444b445e81b02'
|
||||
- 'fd833f3fe2fa396878033b9e6054725248bf9881'
|
||||
- 'db446af0e34259e95f4db112a9f06177e1eef4e0'
|
||||
- '39d7b121bc654a0de891225e0f8b7b5537c24931'
|
||||
- 'd0a228ed8af190dec0c1a812e212f5e68ee3b43e'
|
||||
- '7d2fc1a6729521e5c76f659e4c398e2061f7ed5e'
|
||||
- 'f999709e5b00a68a0f4fa912619fe6548ad0c42d'
|
||||
- SHA256:
|
||||
# The list below is from https://github.com/namazso/physmem_drivers
|
||||
- '04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162'
|
||||
@@ -990,6 +1033,18 @@ detection:
|
||||
- '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b'
|
||||
- '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05'
|
||||
- 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433'
|
||||
# https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html
|
||||
- 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24'
|
||||
- '9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec' #ATSZIO.sys
|
||||
- '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd' #Driver7
|
||||
- '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a'
|
||||
- '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0'
|
||||
- 'e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220'
|
||||
- '1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b'
|
||||
- '029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df'
|
||||
- '1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557'
|
||||
- 'c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522'
|
||||
- 'a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512'
|
||||
condition: 1 of selection*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
|
||||
@@ -15,6 +15,9 @@ references:
|
||||
- https://github.com/namazso/physmem_drivers
|
||||
- https://github.com/stong/CVE-2020-15368
|
||||
- https://github.com/CaledoniaProject/drivers-binaries
|
||||
- https://github.com/Chigusa0w0/AsusDriversPrivEscala
|
||||
- https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/
|
||||
- https://eclypsium.com/2019/11/12/mother-of-all-drivers/
|
||||
date: 2022/10/03
|
||||
modified: 2022/10/10
|
||||
tags:
|
||||
@@ -168,13 +171,36 @@ detection:
|
||||
- '\pgldqpoc.sys'
|
||||
- '\iqvw64e.sys'
|
||||
- '\Monitor_win10_x64.sys'
|
||||
- '\driver.sys'
|
||||
- '\srvnetbus.sys'
|
||||
- '\Mslo64.sys'
|
||||
- '\pcdsrvc_x64.pkms'
|
||||
- '\krpocesshacker.sys'
|
||||
- '\HWiNFO64A.sys'
|
||||
- '\HWiNFO64A.sys' # version <= 8.98, CVE-2018-8061
|
||||
- '\rzpnk.sys'
|
||||
- '\magdrvamd64.sys'
|
||||
# https://github.com/Chigusa0w0/AsusDriversPrivEscala
|
||||
- '\driver7-x64.sys'
|
||||
- '\driver7-x86-withoutdbg.sys'
|
||||
- '\driver7-x86.sys'
|
||||
# Other
|
||||
- '\gmer.sys'
|
||||
- '\PCADRVX64.sys'
|
||||
# WinRing0 other names from VT (https://eclypsium.com/2019/11/12/mother-of-all-drivers/)
|
||||
- '\ActiveHealth.sys'
|
||||
- '\CAM_V3.sys'
|
||||
- '\GameFire.sys'
|
||||
- '\OpenHardwareMonitor.sys'
|
||||
- '\OpenHardwareMonitorLib.sys'
|
||||
- '\OpenHardwareMonitorReport.sys'
|
||||
- '\SmartDashboard.sys'
|
||||
- '\SystemGauge.sys'
|
||||
- '\SystemGaugeX7.sys'
|
||||
- '\VideoNovaServerControllerService.sys'
|
||||
- '\ellp_service.sys'
|
||||
- '\hardwareproviders.sys'
|
||||
- '\ohm.sys'
|
||||
- '\sensorsview32_64.sys'
|
||||
- '\touchpointanalyticsclient.sys'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
|
||||
|
||||
Reference in New Issue
Block a user