diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_vuln_drivers.yml index 9c37a3d38..20ca62f19 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers.yml @@ -12,8 +12,15 @@ references: - https://github.com/namazso/physmem_drivers - https://github.com/stong/CVE-2020-15368 - https://github.com/CaledoniaProject/drivers-binaries + - https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - https://github.com/tandasat/ExploitCapcom + - https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md + - https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md + - https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780 + - https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/ + - https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444 date: 2022/08/18 -modified: 2022/10/03 +modified: 2022/10/10 logsource: product: windows category: driver_load @@ -261,6 +268,18 @@ detection: - 'SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a' - 'SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332' - 'SHA1=4f7a8e26a97980544be634b26899afbefb0a833c' + # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - 'SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7' + - 'SHA1=a7e9a4686aa7291331e2c8708882c8d81d05264f' + - 'SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a' + - 'SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35' + - 'SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02' + - 'SHA1=fd833f3fe2fa396878033b9e6054725248bf9881' + - 'SHA1=db446af0e34259e95f4db112a9f06177e1eef4e0' + - 'SHA1=39d7b121bc654a0de891225e0f8b7b5537c24931' + - 'SHA1=d0a228ed8af190dec0c1a812e212f5e68ee3b43e' + - 'SHA1=7d2fc1a6729521e5c76f659e4c398e2061f7ed5e' + - 'SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d' # The list below is from https://github.com/namazso/physmem_drivers - 'SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748' - 'SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA' @@ -499,6 +518,18 @@ detection: - 'SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b' - 'SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05' - 'SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433' + # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - 'SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24' + - 'SHA256=9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec' + - 'SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd' + - 'SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a' + - 'SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0' + - 'SHA256=e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220' + - 'SHA256=1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b' + - 'SHA256=029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df' + - 'SHA256=1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557' + - 'SHA256=c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522' + - 'SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512' selection_other: - SHA1: # The list below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT @@ -742,6 +773,18 @@ detection: - '5fb9421be8a8b08ec395d05e00fd45eb753b593a' - 'b480c54391a2a2f917a44f91a5e9e4590648b332' - '4f7a8e26a97980544be634b26899afbefb0a833c' + # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7' + - 'a7e9a4686aa7291331e2c8708882c8d81d05264f' #ATSZIO.sys + - '7ba19a701c8af76988006d616a5f77484c13cb0a' + - '4243dbbf6e5719d723f24d0f862afd0fcb40bc35' + - '00b4e8b7644d1bf93f5ddb5740b444b445e81b02' + - 'fd833f3fe2fa396878033b9e6054725248bf9881' + - 'db446af0e34259e95f4db112a9f06177e1eef4e0' + - '39d7b121bc654a0de891225e0f8b7b5537c24931' + - 'd0a228ed8af190dec0c1a812e212f5e68ee3b43e' + - '7d2fc1a6729521e5c76f659e4c398e2061f7ed5e' + - 'f999709e5b00a68a0f4fa912619fe6548ad0c42d' - SHA256: # The list below is from https://github.com/namazso/physmem_drivers - '04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162' @@ -990,6 +1033,18 @@ detection: - '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b' - '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05' - 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433' + # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24' + - '9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec' #ATSZIO.sys + - '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd' #Driver7 + - '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a' + - '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0' + - 'e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220' + - '1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b' + - '029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df' + - '1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557' + - 'c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522' + - 'a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512' condition: 1 of selection* falsepositives: - Unknown diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml index 0d6aa0c5a..fa3fb3f26 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml @@ -15,6 +15,9 @@ references: - https://github.com/namazso/physmem_drivers - https://github.com/stong/CVE-2020-15368 - https://github.com/CaledoniaProject/drivers-binaries + - https://github.com/Chigusa0w0/AsusDriversPrivEscala + - https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/ + - https://eclypsium.com/2019/11/12/mother-of-all-drivers/ date: 2022/10/03 modified: 2022/10/10 tags: @@ -168,13 +171,36 @@ detection: - '\pgldqpoc.sys' - '\iqvw64e.sys' - '\Monitor_win10_x64.sys' - - '\driver.sys' + - '\srvnetbus.sys' - '\Mslo64.sys' - '\pcdsrvc_x64.pkms' - '\krpocesshacker.sys' - - '\HWiNFO64A.sys' + - '\HWiNFO64A.sys' # version <= 8.98, CVE-2018-8061 - '\rzpnk.sys' - '\magdrvamd64.sys' + # https://github.com/Chigusa0w0/AsusDriversPrivEscala + - '\driver7-x64.sys' + - '\driver7-x86-withoutdbg.sys' + - '\driver7-x86.sys' + # Other + - '\gmer.sys' + - '\PCADRVX64.sys' + # WinRing0 other names from VT (https://eclypsium.com/2019/11/12/mother-of-all-drivers/) + - '\ActiveHealth.sys' + - '\CAM_V3.sys' + - '\GameFire.sys' + - '\OpenHardwareMonitor.sys' + - '\OpenHardwareMonitorLib.sys' + - '\OpenHardwareMonitorReport.sys' + - '\SmartDashboard.sys' + - '\SystemGauge.sys' + - '\SystemGaugeX7.sys' + - '\VideoNovaServerControllerService.sys' + - '\ellp_service.sys' + - '\hardwareproviders.sys' + - '\ohm.sys' + - '\sensorsview32_64.sys' + - '\touchpointanalyticsclient.sys' condition: selection falsepositives: - Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.