From ad2f46744c4afdd6409faec931beaefb1f72d0cb Mon Sep 17 00:00:00 2001 From: The Haag <5632822+MHaggis@users.noreply.github.com> Date: Sat, 2 Dec 2023 05:27:00 -0700 Subject: [PATCH 1/8] msr.sys --- drivers/808d2bcad62afa82a2b4fdd0fec6d9c6.bin | 3 + drivers/d90251456195433abcb63ff579a8dda8.bin | 3 + .../ee6fa2de-d388-416c-862d-24385c152fad.yaml | 251 ++++++++++++++++++ 3 files changed, 257 insertions(+) create mode 100644 drivers/808d2bcad62afa82a2b4fdd0fec6d9c6.bin create mode 100644 drivers/d90251456195433abcb63ff579a8dda8.bin create mode 100644 yaml/ee6fa2de-d388-416c-862d-24385c152fad.yaml diff --git a/drivers/808d2bcad62afa82a2b4fdd0fec6d9c6.bin b/drivers/808d2bcad62afa82a2b4fdd0fec6d9c6.bin new file mode 100644 index 000000000..5672a88ce --- /dev/null +++ b/drivers/808d2bcad62afa82a2b4fdd0fec6d9c6.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ede9a3858a12d5ddea21a310e5721bf86c2248539f42c9e0c3c29ae5b0148ba5 +size 15360 diff --git a/drivers/d90251456195433abcb63ff579a8dda8.bin b/drivers/d90251456195433abcb63ff579a8dda8.bin new file mode 100644 index 000000000..bfaecb60b --- /dev/null +++ b/drivers/d90251456195433abcb63ff579a8dda8.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6c6a4d07e95ab4212c2afefcb0ce37dc485fa56120b0419b636bd8bd326038c1 +size 16384 diff --git a/yaml/ee6fa2de-d388-416c-862d-24385c152fad.yaml b/yaml/ee6fa2de-d388-416c-862d-24385c152fad.yaml new file mode 100644 index 000000000..7d0c6452b --- /dev/null +++ b/yaml/ee6fa2de-d388-416c-862d-24385c152fad.yaml @@ -0,0 +1,251 @@ +Id: ee6fa2de-d388-416c-862d-24385c152fad +Author: Michael Haag +Created: '2023-12-02' +MitreID: T1068 +Category: vulnerable driver +Verified: 'TRUE' +Commands: + Command: sc.exe create msr.sys binPath=C:\windows\temp\msr.sys type=kernel && sc.exe + start msr.sys + Description: 'Identified on the MSFT Driver Block list, non-admin can write MSR. ' + Usecase: Elevate privileges + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- https://twitter.com/wdormann/status/1699878227261411699 +- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules +Acknowledgement: + Person: '' + Handle: '' +Detection: [] +KnownVulnerableSamples: +- Fileame: msr.sys + Libraries: + - ntoskrnl.exe + - HAL.dll + ImportedFunctions: + - IofCompleteRequest + - IoDeleteSymbolicLink + - IoDeleteDevice + - IoCreateSymbolicLink + - KeSetSystemGroupAffinityThread + - KeRevertToUserGroupAffinityThread + - KeBugCheckEx + - IoCreateDevice + - KeGetProcessorNumberFromIndex + - RtlInitUnicodeString + - HalSetBusDataByOffset + - HalGetBusDataByOffset + ExportedFunctions: '' + MD5: 808d2bcad62afa82a2b4fdd0fec6d9c6 + SHA1: 14c6e52e1ed19cdaac5a82da6051de89be06c334 + SHA256: ede9a3858a12d5ddea21a310e5721bf86c2248539f42c9e0c3c29ae5b0148ba5 + Imphash: ddffac000a9ce8309fadca5939bd6b19 + Machine: AMD64 + MagicHeader: 50 45 0 0 + CreationTimestamp: '2019-02-07 07:46:11' + RichPEHeaderMD5: d4f3dea543c7d1110de608833ff941e6 + RichPEHeaderSHA1: ca0a39ffadb3f6c0106d0be3b3f7f08a3a153dd1 + RichPEHeaderSHA256: e94f754b1eb264a935896cf00f5dd78aeb61f6e8448841eb5ee3150f1d8d85d5 + AuthentihashMD5: dc5d6e5c4884d33d8e85acbb295982b0 + AuthentihashSHA1: 2146bf058139453c0447786d6f6d5fc454ab955f + AuthentihashSHA256: 1f8812611cf7120e89e769cc908fabc0c9e49b27fded8dde6a3de51d9ce34f09 + Sections: + .text: + Entropy: 5.183293718914335 + Virtual Size: '0xfd' + .rdata: + Entropy: 4.194281523340796 + Virtual Size: '0x128' + .data: + Entropy: 0.5096713223407059 + Virtual Size: '0x114' + .pdata: + Entropy: 3.132230438014181 + Virtual Size: '0x60' + PAGE: + Entropy: 5.788463310734859 + Virtual Size: '0x2e4' + INIT: + Entropy: 5.363130494284849 + Virtual Size: '0x36e' + CompanyName: '' + FileDescription: '' + InternalName: '' + OriginalFilename: '' + FileVersion: '' + ProductName: '' + LegalCopyright: '' + ProductVersion: '' + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Hardware Compatibility Publisher + ValidFrom: '2023-04-06 19:16:30' + ValidTo: '2024-04-03 19:16:30' + Signature: 46265205ad9b6e72f93c97f9bf34c09a4a9f618fec8b7dd6ec24db2163c8b019835dab33b75917d152e60a82e374a0c824aabd01367487ae41dd80c6e98facf7ab35fb0e21b812444a0740d44e44c100b6edc2d3a5a243594b116a979fae9c2e5a0e8d8b9d3809064110d2427a911e520310562b1a3524d5b3767a94069e35c0a3df4f4e1d11f91c05e35bdcce15a12d0d0083f080b21de4d12c3cd428214ed47c21b2ecf546c3d258c90fc982530b04eb7b84fcad5c7898fb6ce95f8970d0d98ab02d730c33c75ced79ea3b9aa19938e719ad84889325a5de27e97c7715d7130926057292a83f09c89f0b5e3993f32de9f773016ba173520ae0d0559bfb4f78dc8564a66b619af0162abe1b02a812562d5517d681a5f096f73a8414bc414919c173240a48d5dd226caf91c1a7fc25b88d4d407af788d09452b324bdfecb7fbec11569e50dc596319701cdf5bd4e0d3714097054b84be6a9715cbf4d499a25a01114f02aa44973515379ebfa23bf8bbaf931f08fd998c4d63cbe8ca6b062145ba4379ad1fcd5749e226e14596ad99249c8c8009212f4a997cf6e4f4940c14a0d4733bc511189110958a9defce1668953a0ef3f17bd5d588af12fae2de418169c1ad1b3571584fcd7be4875ce8d4c10edfa60652327e39158c64eba0e1db8e85c8d07371603d60d2585a61f39f265d662240813567907809db37b3a38c50c1dab + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: false + SerialNumber: 3300000062f45cf99e58a96a89000000000062 + Version: 3 + TBS: + MD5: 93c79f426eb2f2a03b74a6275cac238f + SHA1: e3ae60577ad97b4113d71845e11bd33a1ef2bea8 + SHA256: 0f06228de7bacfbf65d426df80c4e40c5abfe5a2a402e6221dea03b18897de2b + SHA384: 4fcbd8696874577fdeed02d6f1245fb7f45d477850cbfdac0db27f478ed500665247ca122157f2678949f85e5386aa71 + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2014 + ValidFrom: '2014-10-15 20:31:27' + ValidTo: '2029-10-15 20:41:27' + Signature: 96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: true + SerialNumber: 330000000d690d5d7893d076df00000000000d + Version: 3 + TBS: + MD5: 83f69422963f11c3c340b81712eef319 + SHA1: 0c5e5f24590b53bc291e28583acb78e5adc95601 + SHA256: d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae + SHA384: 260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63 + Signer: + - SerialNumber: 3300000062f45cf99e58a96a89000000000062 + Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2014 + Version: 1 + Authentihash: + MD5: dc5d6e5c4884d33d8e85acbb295982b0 + SHA1: 2146bf058139453c0447786d6f6d5fc454ab955f + SHA256: 1f8812611cf7120e89e769cc908fabc0c9e49b27fded8dde6a3de51d9ce34f09 + RichPEHeaderHash: + MD5: d4f3dea543c7d1110de608833ff941e6 + SHA1: ca0a39ffadb3f6c0106d0be3b3f7f08a3a153dd1 + SHA256: e94f754b1eb264a935896cf00f5dd78aeb61f6e8448841eb5ee3150f1d8d85d5 + Description: '' + Company: '' + Product: '' + Copyright: '' + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll +- Fileame: msr.sys + Libraries: + - ntoskrnl.exe + - HAL.dll + ImportedFunctions: + - IofCompleteRequest + - IoDeleteSymbolicLink + - IoDeleteDevice + - KeGetProcessorNumberFromIndex + - IoCreateSymbolicLink + - KeRevertToUserGroupAffinityThread + - ZwMapViewOfSection + - ZwUnmapViewOfSection + - KeBugCheckEx + - DbgPrint + - ZwOpenSection + - IoCreateDevice + - KeSetSystemGroupAffinityThread + - RtlInitUnicodeString + - HalSetBusDataByOffset + - HalFreeHardwareCounters + - HalAllocateHardwareCounters + - HalGetBusDataByOffset + ExportedFunctions: '' + MD5: d90251456195433abcb63ff579a8dda8 + SHA1: 0a02625927613c9a492a9eac3ea943ddf6f64028 + SHA256: 6c6a4d07e95ab4212c2afefcb0ce37dc485fa56120b0419b636bd8bd326038c1 + Imphash: 90862ed3cb06642744e5aff0d881f694 + Machine: AMD64 + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-03-13 06:03:45' + RichPEHeaderMD5: a9a5e090dd2f0faae708d12243a6beb2 + RichPEHeaderSHA1: 89fb87aed185c809cd36b07ac5f9e7a5830925a2 + RichPEHeaderSHA256: aa3af1f1ddf9ec78ac1569ee1f30193f9636ed216fbe99e5d3f3167807749249 + AuthentihashMD5: b6bb37bc17ea29b0edac914de37518e6 + AuthentihashSHA1: 381cc2b974d440edea0bbc010c4bef4cdc2169b7 + AuthentihashSHA256: d23f28169d6e5c09a89e5136a4ff899a3b6f886535bb0254a27dd00a2753c412 + Sections: + .text: + Entropy: 5.020611101197345 + Virtual Size: '0x121' + .rdata: + Entropy: 4.134658643685672 + Virtual Size: '0x16c' + .data: + Entropy: 0.5096713223407059 + Virtual Size: '0x114' + .pdata: + Entropy: 3.1007767920907034 + Virtual Size: '0x60' + PAGE: + Entropy: 6.135370120580779 + Virtual Size: '0x474' + INIT: + Entropy: 5.4171130453837355 + Virtual Size: '0x520' + CompanyName: '' + FileDescription: '' + InternalName: '' + OriginalFilename: '' + FileVersion: '' + ProductName: '' + LegalCopyright: '' + ProductVersion: '' + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Hardware Compatibility Publisher + ValidFrom: '2023-04-06 19:16:30' + ValidTo: '2024-04-03 19:16:30' + Signature: 46265205ad9b6e72f93c97f9bf34c09a4a9f618fec8b7dd6ec24db2163c8b019835dab33b75917d152e60a82e374a0c824aabd01367487ae41dd80c6e98facf7ab35fb0e21b812444a0740d44e44c100b6edc2d3a5a243594b116a979fae9c2e5a0e8d8b9d3809064110d2427a911e520310562b1a3524d5b3767a94069e35c0a3df4f4e1d11f91c05e35bdcce15a12d0d0083f080b21de4d12c3cd428214ed47c21b2ecf546c3d258c90fc982530b04eb7b84fcad5c7898fb6ce95f8970d0d98ab02d730c33c75ced79ea3b9aa19938e719ad84889325a5de27e97c7715d7130926057292a83f09c89f0b5e3993f32de9f773016ba173520ae0d0559bfb4f78dc8564a66b619af0162abe1b02a812562d5517d681a5f096f73a8414bc414919c173240a48d5dd226caf91c1a7fc25b88d4d407af788d09452b324bdfecb7fbec11569e50dc596319701cdf5bd4e0d3714097054b84be6a9715cbf4d499a25a01114f02aa44973515379ebfa23bf8bbaf931f08fd998c4d63cbe8ca6b062145ba4379ad1fcd5749e226e14596ad99249c8c8009212f4a997cf6e4f4940c14a0d4733bc511189110958a9defce1668953a0ef3f17bd5d588af12fae2de418169c1ad1b3571584fcd7be4875ce8d4c10edfa60652327e39158c64eba0e1db8e85c8d07371603d60d2585a61f39f265d662240813567907809db37b3a38c50c1dab + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: false + SerialNumber: 3300000062f45cf99e58a96a89000000000062 + Version: 3 + TBS: + MD5: 93c79f426eb2f2a03b74a6275cac238f + SHA1: e3ae60577ad97b4113d71845e11bd33a1ef2bea8 + SHA256: 0f06228de7bacfbf65d426df80c4e40c5abfe5a2a402e6221dea03b18897de2b + SHA384: 4fcbd8696874577fdeed02d6f1245fb7f45d477850cbfdac0db27f478ed500665247ca122157f2678949f85e5386aa71 + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2014 + ValidFrom: '2014-10-15 20:31:27' + ValidTo: '2029-10-15 20:41:27' + Signature: 96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: true + SerialNumber: 330000000d690d5d7893d076df00000000000d + Version: 3 + TBS: + MD5: 83f69422963f11c3c340b81712eef319 + SHA1: 0c5e5f24590b53bc291e28583acb78e5adc95601 + SHA256: d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae + SHA384: 260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63 + Signer: + - SerialNumber: 3300000062f45cf99e58a96a89000000000062 + Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2014 + Version: 1 + Authentihash: + MD5: b6bb37bc17ea29b0edac914de37518e6 + SHA1: 381cc2b974d440edea0bbc010c4bef4cdc2169b7 + SHA256: d23f28169d6e5c09a89e5136a4ff899a3b6f886535bb0254a27dd00a2753c412 + RichPEHeaderHash: + MD5: a9a5e090dd2f0faae708d12243a6beb2 + SHA1: 89fb87aed185c809cd36b07ac5f9e7a5830925a2 + SHA256: aa3af1f1ddf9ec78ac1569ee1f30193f9636ed216fbe99e5d3f3167807749249 + Description: '' + Company: '' + Product: '' + Copyright: '' + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - HAL.dll +Tags: +- msr.sys From f950ee1dd9e99dc0b358f51dfba37e32215124f5 Mon Sep 17 00:00:00 2001 From: The Haag <5632822+MHaggis@users.noreply.github.com> Date: Sat, 2 Dec 2023 05:33:34 -0700 Subject: [PATCH 2/8] Echodriver + MSR --- .../afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml | 259 ++++++++++++++++++ .../ee6fa2de-d388-416c-862d-24385c152fad.yaml | 4 +- 2 files changed, 261 insertions(+), 2 deletions(-) diff --git a/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml b/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml index 0c83fdff8..33d9e0629 100644 --- a/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml +++ b/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml @@ -155,6 +155,265 @@ KnownVulnerableSamples: Windows Third Party Component CA 2014 Version: 1 Imphash: a94892b77a6474429b9f692d9952a9d5 +- Filename: 'echodriver' + Libraries: + - ntoskrnl.exe + - WDFLDR.SYS + ImportedFunctions: + - PsTerminateSystemThread + - IofCompleteRequest + - IoCreateDevice + - IoCreateSymbolicLink + - IoDeleteDevice + - IoDeleteSymbolicLink + - IoGetCurrentProcess + - ObReferenceObjectByHandle + - ObfDereferenceObject + - ObRegisterCallbacks + - ObUnRegisterCallbacks + - ObGetFilterVersion + - PsCreateSystemThread + - ZwClose + - PsSetCreateThreadNotifyRoutine + - PsRemoveCreateThreadNotifyRoutine + - PsGetCurrentProcessId + - PsGetProcessId + - PsGetThreadProcessId + - ZwTerminateProcess + - RtlRandomEx + - PsLookupProcessByProcessId + - ObOpenObjectByPointer + - PsProcessType + - PsThreadType + - KeWaitForSingleObject + - RtlCopyUnicodeString + - KeDelayExecutionThread + - DbgPrintEx + - ZwUnloadDriver + - RtlInitUnicodeString + - WdfVersionUnbind + - WdfVersionBind + - WdfVersionUnbindClass + - WdfVersionBindClass + ExportedFunctions: '' + MD5: 69fd73a83df164d7fe5d89e006e945dc + SHA1: 2fcfb50b5c91dd3e3b48d91a60acc26138f406b6 + SHA256: a41e9bb037cf1dc2237659b1158f0ed4e49b752b2f9dae4cc310933a9d1f1e47 + Imphash: 8b9e0d788c2eaf2c7f14613be96a14ef + Machine: AMD64 + MagicHeader: 50 45 0 0 + CreationTimestamp: '2021-01-07 23:47:44' + RichPEHeaderMD5: a30de20396700c11c4814cc1afb687be + RichPEHeaderSHA1: c3a2151d02fa314d617fd4a56a3014e2232132e8 + RichPEHeaderSHA256: dd442fcf6a0f1d238ea0c65995753b5ade95c734da71b0947442ac68b69e6714 + AuthentihashMD5: ccaf2dcbc166d6436a8bdc226273ee8e + AuthentihashSHA1: 503901e0da00e491f28389f17cafd1f1d5243c60 + AuthentihashSHA256: 48dc7fd16aacdc8792f8bad1b1f7ca9d675ddac7767e957ea8c4227150d64e2d + Sections: + .text: + Entropy: 6.014631414956102 + Virtual Size: '0xcee' + .rdata: + Entropy: 4.859318138184422 + Virtual Size: '0xa14' + .data: + Entropy: 0.5984918976590248 + Virtual Size: '0x328' + .pdata: + Entropy: 3.5096664820400054 + Virtual Size: '0xfc' + INIT: + Entropy: 5.408896279667701 + Virtual Size: '0x6ae' + .reloc: + Entropy: 3.0362376705219396 + Virtual Size: '0x24' + CompanyName: '' + FileDescription: '' + InternalName: '' + OriginalFilename: '' + FileVersion: '' + ProductName: '' + LegalCopyright: '' + ProductVersion: '' + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Hardware Compatibility Publisher + ValidFrom: '2020-03-11 17:31:14' + ValidTo: '2021-03-05 17:31:14' + Signature: 7dfc7c353c4c04d9d06066e1ca8584637192eb15d1d6e7c5521b0d819d615fb56524985d30535b0573fb8e0d13173d51b27bd23b9a2052738891d67ed360766452b62c4566eb20c90f018229a8e951bf58df5a7d731c1e51217f471d470979f04e900920bfc8715122b331d82f68f73ebf3de36e09d18fbfed2f3c29190a41baafbca0025bf4e36310a04cb8e61c32fda677820aa693a7f5e69d3c3abdb495b12bb8b6d10f65d44fae945d9b0fcf695d4711fc9e1c0ddb1f569c13093e16c389f748d8fe60e8685f02357464564761db4cece391baa742f3ad3bcfa26e01975966ca41939c832bf1147bec870162ce042fd0cf10d048181ec573d317f2c5de21512f13b24de9bac9bb83fc2ceb4f6f766536fe38c03ede1f8b0a3b8828e8d914d73d0a17699ab20264a27a36e0f77c5144cf470bf44d2296290e345bd25c0bc6a08dd963ec39ce0e500599751c652dc20e9906c1ce76c1d86c09058ae8defb3d7b93b68a34ca83a981a30c2403723f7e5c664b1e951050002ad32e976db221c2d8c660047dc6acfe0da16d44c6372a5cd04b016a35193f841b903ba87e2d6e416a2c59469af9f16e249bb891f21ec22f2db0a84a48d7a9e43d2f7e3bdd016d600f57daf21829885ec035287ab332c32738f5e26c6d2502b2f044afb1e048c85c7c9baf76747de14ecdeca3c7481796a741672a047f89dafe2c12c01982a026c4 + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: false + SerialNumber: 330000003a6ae333708fda7a7b00000000003a + Version: 3 + TBS: + MD5: 6f5d716e7151f1c173396adb7213359e + SHA1: 100610baae90027e9844a8e9c4d489fe122ecd9c + SHA256: 677d532777cee24be88442efec75e9640e80ef57d8e1246396459a1a04be733f + SHA384: 35d397c22426b9c4c486fa5dd36c089209ab77026e981bd353ffbf060f54fd98f2afe9b45dd64c20614a5d5627b8dd0c + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2014 + ValidFrom: '2014-10-15 20:31:27' + ValidTo: '2029-10-15 20:41:27' + Signature: 96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: true + SerialNumber: 330000000d690d5d7893d076df00000000000d + Version: 3 + TBS: + MD5: 83f69422963f11c3c340b81712eef319 + SHA1: 0c5e5f24590b53bc291e28583acb78e5adc95601 + SHA256: d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae + SHA384: 260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63 + Signer: + - SerialNumber: 330000003a6ae333708fda7a7b00000000003a + Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2014 + Version: 1 +- Filename: 'echodriver.sys' + Libraries: + - cng.sys + - ntoskrnl.exe + - WDFLDR.SYS + ImportedFunctions: + - BCryptVerifySignature + - BCryptCreateHash + - BCryptDestroyKey + - BCryptFinishHash + - BCryptDestroyHash + - BCryptImportKeyPair + - BCryptCloseAlgorithmProvider + - BCryptGetProperty + - BCryptHashData + - BCryptOpenAlgorithmProvider + - IoGetCurrentProcess + - ObRegisterCallbacks + - ObUnRegisterCallbacks + - ObGetFilterVersion + - PsGetProcessId + - PsGetThreadProcessId + - PsProcessType + - PsThreadType + - DbgPrint + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - ProbeForRead + - ZwCreateFile + - ZwQueryInformationFile + - IoDeleteDevice + - ZwClose + - SeLocateProcessImageName + - RtlGetVersion + - KeIpiGenericCall + - IofCompleteRequest + - ObReferenceObjectByHandle + - ObfDereferenceObject + - ZwOpenKey + - ZwQueryValueKey + - MmCopyMemory + - MmGetVirtualForPhysical + - KeStackAttachProcess + - KeUnstackDetachProcess + - PsLookupProcessByProcessId + - ObOpenObjectByPointer + - ZwQueryVirtualMemory + - MmCopyVirtualMemory + - __C_specific_handler + - ZwOpenProcess + - ZwQuerySystemInformation + - ZwQueryInformationProcess + - IoDeleteSymbolicLink + - RtlCopyUnicodeString + - DbgPrintEx + - IoCreateSymbolicLink + - IoCreateDevice + - RtlInitUnicodeString + - ZwReadFile + - WdfVersionUnbind + - WdfVersionBindClass + - WdfVersionUnbindClass + - WdfVersionBind + ExportedFunctions: '' + MD5: 410b44dc8ec9e756e2abdbb406aa42ad + SHA1: 04fd5eb356f63e2afc218a32aa7c27c9e9a5c42a + SHA256: ada2b855757c9062231f5ed4e80365b8d8094e9adbce8f26d1ff5ea0b7a70c77 + Imphash: a2180e353b7db3ab59bab0bbbd09962b + Machine: AMD64 + MagicHeader: 50 45 0 0 + CreationTimestamp: '2021-07-19 19:12:05' + RichPEHeaderMD5: a90d303a65c24db3a118b98e4a47ffdc + RichPEHeaderSHA1: 60cda5b7f044e0e6cc90a800741cae06d5a61975 + RichPEHeaderSHA256: a8a785d37c7c1f79fcff9f9887d71c44e18001bd74ca5db3aa72b163ed798704 + AuthentihashMD5: 825730ad17e9049c65f26f0426f7f233 + AuthentihashSHA1: 18cd81740893fa24f1afbb9d187a60af9c5b2902 + AuthentihashSHA256: 4160dae22484062ccc3750cc9cac8f929d8701694160a3b508715610814aa28d + Sections: + .text: + Entropy: 6.26052193214872 + Virtual Size: '0x2061' + .rdata: + Entropy: 4.783468366688466 + Virtual Size: '0xb9c' + .data: + Entropy: 2.463479406401615 + Virtual Size: '0x388' + .pdata: + Entropy: 3.7115104332177165 + Virtual Size: '0x138' + INIT: + Entropy: 4.879509043053179 + Virtual Size: '0x740' + .reloc: + Entropy: 3.0210848226564435 + Virtual Size: '0x24' + CompanyName: '' + FileDescription: '' + InternalName: '' + OriginalFilename: '' + FileVersion: '' + ProductName: '' + LegalCopyright: '' + ProductVersion: '' + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Hardware Compatibility Publisher + ValidFrom: '2020-12-15 22:25:28' + ValidTo: '2021-12-02 22:25:28' + Signature: 3a8e15af3660c47a1def4303906af38b6ca69186409b4f44ebe8106ece701f6e00e734fe1d0bb290d1496c3f17859e1f9ff1f31080dd8bfd2bb5013956c2f49ffe73916654f04c35b9df2fb27c55a71df3d8e1f25185d398abed244b42e27741c0b1c953c139c011b801f00e80ea992005a1305dd65bcb2032790b0d87636b75d2fb8f431546cd906ab0a55083a26d2649d822871b6aacd1b4d8c74ea2366903eeb318e7826db64e3a858d6377cf2f9a628f21d6ef65279603c18d25d365dd370cef1a45527deec589a331a221c909a8b0d2010d078970678c648d62168056e3b775233eac20e50cc039a85900749f627a419e8959fcf21efc89da76426107e43261ccdcaebad659b89abfdd5d1a78e9d438868b9ff58cac5176bddff8c8dd11008ed72ed249bb7d78af559b04561e6b44aae7846b103d2db8c0e31a5f661851f97acba0757b474c1caa49cf8eed86de15a4118743a418b6b415e7770265801ba51061b5d32125ed5ba1e27fe83ac795f9cc868949b14d59eb4f596763da9102f9e6ae8fe92de61d68af67a906e0be424f5c81dcecd4d190953a66384c3b5fe33f7b402a0934c2befd4a51b2f2850ef05e156fc4e1460eab2f67e3cbc999db761f57970ccafbc49040e999965f5306c1f5c90ce172d889a3aa63ec502a60020b2a7b4fff562b9dc5c50a8e06bc52f04ff0fe535591e2e6b7325239666152819a + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: false + SerialNumber: 33000000433a68189e33902987000000000043 + Version: 3 + TBS: + MD5: 3d790bd5602e84a4aa8560133ced0a41 + SHA1: 909e31e3e3808ab55d508fc0ba47e0132a57d7ab + SHA256: ac1acbcba260f10270527c3762457c1b96818466df9da51dfec3b147c90db453 + SHA384: c548f472f381df2da149c036e2f47be20293838eb23adce5e1b0ad1ba1fe8c33f688528452146c87dcb26070a2a23ced + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2014 + ValidFrom: '2014-10-15 20:31:27' + ValidTo: '2029-10-15 20:41:27' + Signature: 96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: true + SerialNumber: 330000000d690d5d7893d076df00000000000d + Version: 3 + TBS: + MD5: 83f69422963f11c3c340b81712eef319 + SHA1: 0c5e5f24590b53bc291e28583acb78e5adc95601 + SHA256: d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae + SHA384: 260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63 + Signer: + - SerialNumber: 33000000433a68189e33902987000000000043 + Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2014 + Version: 1 MitreID: T1134 Resources: - https://ioctl.fail/echo-ac-writeup/ diff --git a/yaml/ee6fa2de-d388-416c-862d-24385c152fad.yaml b/yaml/ee6fa2de-d388-416c-862d-24385c152fad.yaml index 7d0c6452b..a46bceb5c 100644 --- a/yaml/ee6fa2de-d388-416c-862d-24385c152fad.yaml +++ b/yaml/ee6fa2de-d388-416c-862d-24385c152fad.yaml @@ -19,7 +19,7 @@ Acknowledgement: Handle: '' Detection: [] KnownVulnerableSamples: -- Fileame: msr.sys +- Filename: msr.sys Libraries: - ntoskrnl.exe - HAL.dll @@ -130,7 +130,7 @@ KnownVulnerableSamples: Imports: - ntoskrnl.exe - HAL.dll -- Fileame: msr.sys +- Filename: msr.sys Libraries: - ntoskrnl.exe - HAL.dll From b9a74130a8d1621c884b8b65686b07dd5a2f1935 Mon Sep 17 00:00:00 2001 From: The Haag <5632822+MHaggis@users.noreply.github.com> Date: Sat, 2 Dec 2023 05:55:10 -0700 Subject: [PATCH 3/8] Update afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml --- yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml b/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml index 33d9e0629..fd34f0c7b 100644 --- a/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml +++ b/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml @@ -418,6 +418,7 @@ MitreID: T1134 Resources: - https://ioctl.fail/echo-ac-writeup/ - https://github.com/kite03/echoac-poc/tree/main/PoC +- https://github.com/pseuxide/kur Tags: - echo_driver.sys Verified: 'TRUE' From ece624ccae9360c5905ec7b2a185254b8fc703d9 Mon Sep 17 00:00:00 2001 From: The Haag <5632822+MHaggis@users.noreply.github.com> Date: Sat, 2 Dec 2023 07:02:55 -0700 Subject: [PATCH 4/8] superman --- drivers/98b8507e725b3d28537fc374eb2de72d.bin | 3 + .../7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml | 185 ++++++++++++++++++ 2 files changed, 188 insertions(+) create mode 100644 drivers/98b8507e725b3d28537fc374eb2de72d.bin diff --git a/drivers/98b8507e725b3d28537fc374eb2de72d.bin b/drivers/98b8507e725b3d28537fc374eb2de72d.bin new file mode 100644 index 000000000..89370d795 --- /dev/null +++ b/drivers/98b8507e725b3d28537fc374eb2de72d.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0052aa88e42055a2eed5ddd17c3499c692360155e5e031a211edfcef577acce3 +size 56592 diff --git a/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml b/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml index 4704e1ef1..b9324c722 100644 --- a/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml +++ b/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml @@ -224,6 +224,190 @@ KnownVulnerableSamples: Issuer: C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2 Version: 1 Imphash: a998fe47a44bfbf2399968e21cfdf7ca +- Name: '' + Libraries: + - ntoskrnl.exe + ImportedFunctions: + - PsProcessType + - IoDeleteSymbolicLink + - ExFreePoolWithTag + - strncmp + - _snwprintf + - PsLookupProcessByProcessId + - RtlInitUnicodeString + - IoDeleteDevice + - KeUnstackDetachProcess + - KeDetachProcess + - IoDriverObjectType + - wcsrchr + - ExAllocatePool + - ZwClose + - KeBugCheck + - IofCompleteRequest + - ObReferenceObjectByHandle + - KeAttachProcess + - PsGetVersion + - PsThreadType + - IoCreateSymbolicLink + - MmIsAddressValid + - ObfDereferenceObject + - ObReferenceObjectByName + - IoCreateDevice + - ObOpenObjectByPointer + - KeStackAttachProcess + - PsLookupThreadByThreadId + - KeClearEvent + - IoGetBaseFileSystemDeviceObject + - IoBuildSynchronousFsdRequest + - _wcsnicmp + - ZwReadFile + - wcsncpy + - KeInitializeEvent + - ZwSetInformationFile + - strncpy + - IoGetDeviceObjectPointer + - NtClose + - KeWaitForSingleObject + - ZwDeleteFile + - RtlCompareUnicodeString + - ObfReferenceObject + - ZwOpenFile + - ZwQueryInformationFile + - ZwWriteFile + - IofCallDriver + - wcschr + - MmUnmapLockedPages + - _stricmp + - _strnicmp + - RtlVolumeDeviceToDosName + - ZwMapViewOfSection + - MmGetSystemRoutineAddress + - ZwQuerySystemInformation + - KeReleaseSpinLock + - ZwOpenThread + - IoFreeMdl + - KeDelayExecutionThread + - MmMapLockedPagesSpecifyCache + - ZwUnmapViewOfSection + - IoGetCurrentProcess + - MmProbeAndLockPages + - ZwOpenProcess + - MmUnlockPages + - ZwQueryInformationProcess + - ZwCreateSection + - wcsncmp + - ZwTerminateProcess + - ZwQueryInformationThread + - IoAllocateMdl + - KeAcquireSpinLockRaiseToDpc + - ZwQuerySymbolicLinkObject + - KeSetEvent + - RtlEqualUnicodeString + - ZwOpenSymbolicLinkObject + - ZwOpenDirectoryObject + - ZwQueryDirectoryObject + - IoFreeIrp + - IoAllocateIrp + - IoGetDeviceInterfaces + - IoCreateNotificationEvent + - ObQueryNameString + - ZwWaitForSingleObject + - ZwQueryDirectoryFile + - KeResetEvent + - KdDebuggerNotPresent + - PsCreateSystemThread + - PsTerminateSystemThread + - KeBugCheckEx + - __C_specific_handler + ExportedFunctions: '' + MD5: 98b8507e725b3d28537fc374eb2de72d + SHA1: c80d7fe8279ddfd466505a24b9c8cc7a68b9d0e4 + SHA256: 0052aa88e42055a2eed5ddd17c3499c692360155e5e031a211edfcef577acce3 + Imphash: a998fe47a44bfbf2399968e21cfdf7ca + Machine: AMD64 + MagicHeader: 50 45 0 0 + CreationTimestamp: '2016-03-09 07:28:57' + RichPEHeaderMD5: ae0016968883c7b6d9bf26bf6adcb454 + RichPEHeaderSHA1: ae1e456ae17f0bce4cb62e8cc3a76e5b83c53caa + RichPEHeaderSHA256: 9c178663dffdd9f9429f961711da30f4c966a2437d235785d182a6e5afb40fbc + AuthentihashMD5: 7514f440c5b9e5c4a0498e4489b76d62 + AuthentihashSHA1: 0bca6c35159282fd64615abc4d398399b061847b + AuthentihashSHA256: 3913d9754b78182aa25d38fbd7ea02502bdf1d81e6525ab4b5ffe5f543200478 + Sections: + .text: + Entropy: 6.190031082489791 + Virtual Size: '0x9ed1' + .rdata: + Entropy: 4.557929170549758 + Virtual Size: '0xe44' + .data: + Entropy: 0.30140680731160896 + Virtual Size: '0xf50' + .pdata: + Entropy: 4.428217198958577 + Virtual Size: '0x468' + INIT: + Entropy: 5.165565402631577 + Virtual Size: '0xace' + .rsrc: + Entropy: 3.389674147151622 + Virtual Size: '0x368' + CompanyName: GMER + FileDescription: GMER Driver http://www.gmer.net + InternalName: gmer64.sys + OriginalFilename: gmer64.sys + FileVersion: '2, 0, 6983 built by: WinDDK' + ProductName: GMER + LegalCopyright: Copyright (C) GMER 2003-2013 + ProductVersion: 2, 0, 6983 + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2 + ValidFrom: '2011-04-13 10:00:00' + ValidTo: '2019-04-13 10:00:00' + Signature: 225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0400000000012f4ee1355c + Version: 3 + TBS: + MD5: f6a9e8eb8784f3f694b4e353c08a0ff5 + SHA1: 589a7d4df869395601ba7538a65afae8c4616385 + SHA256: cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4 + SHA384: dcec542f242317863d0b3d23947e17d6982e381003831777b07ed75b46fb18bd0392a89c9beb6862981cd05f3f2fb77b + - Subject: C=PL, ST=Katowice, L=Katowice, O=GMEREK Systemy Komputerowe Przemyslaw + Gmerek, CN=GMEREK Systemy Komputerowe Przemyslaw Gmerek + ValidFrom: '2014-01-02 07:01:46' + ValidTo: '2015-02-04 15:04:09' + Signature: ad49289aa50c6f87bd70af8712f5c8bf00f5e44e58d92f3e0429b2179e6368a89ba4d6a35a08a6bb271dbaa454a1ffeaa1e774eb5e3b564d08998c930453ce3db67186fe7797ebf4aeb2b3f693ff919ce7ffe24ad3715ed12a2838ffd6b3a43d79b6771dd89e5b076fae811e8aca865f6ed5475a5316ee5ab85888101e65671416a1afb6fee3ac3d70a45090331e481e2bbbbe8c48f0fe31e44cc172c45c563897e70cd1c7d5afb602735b7160cb4853b6ec4b61efee01be7408f6a00214bd9381b173531fd1c903839906b8eb104a1684084a30f9618774ef23ecfbc7b6f5c7e53ed59e4be74fe4e18ceec5cb4ea9561bf8827e8bce6d30299ec8d5d5df62d2 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 1121c5bcad73319ee0131e328a2b814e164a + Version: 3 + TBS: + MD5: 6f0e4c627d045bd81b94ec79fd4b371d + SHA1: a624238b100a59ac8722559c4d1e75aa4f7d99a4 + SHA256: f0f8a64560267f1ff198c83420155851c8b91ae9eeb6227c9d1833b29b504e83 + SHA384: 3f63878ac97adadd93ed3e316d703f25459441d2d9847dd8caec36af8c904906aaf96b55cde8cefda3d3c8031c722dd1 + - Subject: C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA + ValidFrom: '2011-04-15 19:55:08' + ValidTo: '2021-04-15 20:05:08' + Signature: 5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 6129152700000000002a + Version: 3 + TBS: + MD5: 0bb058d116f02817737920f112d9fd3b + SHA1: fd116235171a4feafedee586b7a59185fb5fd7e6 + SHA256: f970426cc46d2ae0fc5f899fa19dbe76e05f07e525654c60c3c9399492c291f4 + SHA384: c0df876be008c26ca407fe904e6f5e7ccded17f9c16830ce9f8022309c9e64c97f494810f152811ae43e223b82ad7cc6 + Signer: + - SerialNumber: 1121c5bcad73319ee0131e328a2b814e164a + Issuer: C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2 + Version: 1 MitreID: T1068 Resources: - https://github.com/magicsword-io/LOLDrivers/issues/55#issuecomment-1537161951 @@ -233,4 +417,5 @@ Resources: - https://github.com/b1-team/superman Tags: - gmer64.sys +- superman.sys Verified: 'TRUE' From dcca17e895b972be4fb548bad5566393731f03be Mon Sep 17 00:00:00 2001 From: The Haag <5632822+MHaggis@users.noreply.github.com> Date: Sat, 2 Dec 2023 08:46:25 -0700 Subject: [PATCH 5/8] rentdrv2 --- drivers/1585d3eda733dfe42202bb98f95f7f5d.bin | 3 + drivers/5fea22f442e7fd34a54008e363446d13.bin | 3 + .../0ae44ce5-cffb-485d-9dd4-732e15882ecc.yaml | 27 +- .../7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml | 19 +- .../97045c68-a808-4bd5-8873-c94730076f51.yaml | 375 ++++++++++++++++++ .../afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml | 4 +- .../e0e93453-1007-4799-ad02-9b461b7e0398.yaml | 17 +- 7 files changed, 437 insertions(+), 11 deletions(-) create mode 100644 drivers/1585d3eda733dfe42202bb98f95f7f5d.bin create mode 100644 drivers/5fea22f442e7fd34a54008e363446d13.bin create mode 100644 yaml/97045c68-a808-4bd5-8873-c94730076f51.yaml diff --git a/drivers/1585d3eda733dfe42202bb98f95f7f5d.bin b/drivers/1585d3eda733dfe42202bb98f95f7f5d.bin new file mode 100644 index 000000000..442432db4 --- /dev/null +++ b/drivers/1585d3eda733dfe42202bb98f95f7f5d.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1aed62a63b4802e599bbd33162319129501d603cceeb5e1eb22fd4733b3018a3 +size 41152 diff --git a/drivers/5fea22f442e7fd34a54008e363446d13.bin b/drivers/5fea22f442e7fd34a54008e363446d13.bin new file mode 100644 index 000000000..14fe5d65a --- /dev/null +++ b/drivers/5fea22f442e7fd34a54008e363446d13.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9165d4f3036919a96b86d24b64d75d692802c7513f2b3054b20be40c212240a5 +size 32328 diff --git a/yaml/0ae44ce5-cffb-485d-9dd4-732e15882ecc.yaml b/yaml/0ae44ce5-cffb-485d-9dd4-732e15882ecc.yaml index dd34fb936..fc822fb5e 100644 --- a/yaml/0ae44ce5-cffb-485d-9dd4-732e15882ecc.yaml +++ b/yaml/0ae44ce5-cffb-485d-9dd4-732e15882ecc.yaml @@ -25,7 +25,7 @@ Acknowledgement: Handle: '' Detection: [] KnownVulnerableSamples: -- Filename: 'Truesight' +- Filename: Truesight Libraries: - ntoskrnl.exe ImportedFunctions: @@ -110,7 +110,7 @@ KnownVulnerableSamples: Imphash: b95bc1a99081d695b1c0b37b90a4a0be Machine: AMD64 MagicHeader: 50 45 0 0 - CreationTimestamp: '2023-08-29 12:07:25' + CreationTimestamp: '2023-08-29 06:07:25' RichPEHeaderMD5: 2aa941242ce069665648272f38f01e61 RichPEHeaderSHA1: 27a430c07c51453e908a94ae3e2640dc733030e3 RichPEHeaderSHA256: 78b94bc1db7ed451dff0467fac7a5e568a1d35f9cabcffbdb4690c13719861bb @@ -125,7 +125,7 @@ KnownVulnerableSamples: Entropy: 4.696875660287618 Virtual Size: '0x1184' .data: - Entropy: 2.4448556315683105 + Entropy: 2.44485563156831 Virtual Size: '0x320' .pdata: Entropy: 4.30658373083434 @@ -137,10 +137,10 @@ KnownVulnerableSamples: Entropy: 5.52229514751666 Virtual Size: '0xb14' .rsrc: - Entropy: 3.2891744328822807 + Entropy: 3.2891744328822803 Virtual Size: '0x3e0' .reloc: - Entropy: 4.191806540004826 + Entropy: 4.191806540004825 Virtual Size: '0x6c' CompanyName: Adlice Software FileDescription: RogueKiller Antirootkit Driver @@ -198,5 +198,20 @@ KnownVulnerableSamples: - SerialNumber: 169d2c94309c0380414bcfdd93a6b27d Issuer: C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA EV R36 Version: 1 + Authentihash: + MD5: 7ac40b0bee0d9b6e84d58d567e82e736 + SHA1: 13c6de4203098a8017a0bd4c4da98f6d547482bb + SHA256: 891ad430e7f1d58ef85b437505a6016fa99a72abcfd4734476efc5fc1fcd1cba + RichPEHeaderHash: + MD5: 2aa941242ce069665648272f38f01e61 + SHA1: 27a430c07c51453e908a94ae3e2640dc733030e3 + SHA256: 78b94bc1db7ed451dff0467fac7a5e568a1d35f9cabcffbdb4690c13719861bb + Description: RogueKiller Antirootkit Driver + Company: Adlice Software + Product: Truesight + Copyright: Copyright Adlice Software(C) 2023 + MachineType: AMD64 + Imports: + - ntoskrnl.exe Tags: -- truesight.sys \ No newline at end of file +- truesight.sys diff --git a/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml b/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml index b9324c722..1b674a025 100644 --- a/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml +++ b/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml @@ -224,7 +224,7 @@ KnownVulnerableSamples: Issuer: C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2 Version: 1 Imphash: a998fe47a44bfbf2399968e21cfdf7ca -- Name: '' +- Filename: '' Libraries: - ntoskrnl.exe ImportedFunctions: @@ -326,7 +326,7 @@ KnownVulnerableSamples: Imphash: a998fe47a44bfbf2399968e21cfdf7ca Machine: AMD64 MagicHeader: 50 45 0 0 - CreationTimestamp: '2016-03-09 07:28:57' + CreationTimestamp: '2016-03-09 00:28:57' RichPEHeaderMD5: ae0016968883c7b6d9bf26bf6adcb454 RichPEHeaderSHA1: ae1e456ae17f0bce4cb62e8cc3a76e5b83c53caa RichPEHeaderSHA256: 9c178663dffdd9f9429f961711da30f4c966a2437d235785d182a6e5afb40fbc @@ -408,6 +408,21 @@ KnownVulnerableSamples: - SerialNumber: 1121c5bcad73319ee0131e328a2b814e164a Issuer: C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2 Version: 1 + Authentihash: + MD5: 7514f440c5b9e5c4a0498e4489b76d62 + SHA1: 0bca6c35159282fd64615abc4d398399b061847b + SHA256: 3913d9754b78182aa25d38fbd7ea02502bdf1d81e6525ab4b5ffe5f543200478 + RichPEHeaderHash: + MD5: ae0016968883c7b6d9bf26bf6adcb454 + SHA1: ae1e456ae17f0bce4cb62e8cc3a76e5b83c53caa + SHA256: 9c178663dffdd9f9429f961711da30f4c966a2437d235785d182a6e5afb40fbc + Description: GMER Driver http://www.gmer.net + Company: GMER + Product: GMER + Copyright: Copyright (C) GMER 2003-2013 + MachineType: AMD64 + Imports: + - ntoskrnl.exe MitreID: T1068 Resources: - https://github.com/magicsword-io/LOLDrivers/issues/55#issuecomment-1537161951 diff --git a/yaml/97045c68-a808-4bd5-8873-c94730076f51.yaml b/yaml/97045c68-a808-4bd5-8873-c94730076f51.yaml new file mode 100644 index 000000000..fcd1fb6f3 --- /dev/null +++ b/yaml/97045c68-a808-4bd5-8873-c94730076f51.yaml @@ -0,0 +1,375 @@ +Id: 97045c68-a808-4bd5-8873-c94730076f51 +Author: Michael Haag +Created: '2023-12-02' +MitreID: T1068 +Category: vulnerable driver +Verified: 'TRUE' +Commands: + Command: sc.exe create rentdrv2.sys binPath=C:\windows\temp\rentdrv2.sys type=kernel + && sc.exe start rentdrv2.sys + Description: As the attempt to exploit the GMER driver failed, the attackers tried + arming their drvIX tool. They did so using a different vulnerable driver from + a new publicly available PoC tool called BadRentdrv2, first published in the beginning + of October 2023. + Usecase: Elevate privileges + Privileges: kernel + OperatingSystem: Windows 10 +Resources: +- https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/ +Acknowledgement: + Person: '' + Handle: '' +Detection: [] +KnownVulnerableSamples: +- Filename: rentdrv2.sys + Libraries: + - ntoskrnl.exe + - HAL.dll + ImportedFunctions: + - KeSetEvent + - KeInitializeEvent + - ZwCreateFile + - ExAllocatePool + - KeGetCurrentThread + - ZwClose + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - ObfDereferenceObject + - ZwWriteFile + - DbgPrint + - KeInitializeDpc + - InterlockedPopEntrySList + - KeQuerySystemTime + - ZwWaitForSingleObject + - KeFlushQueuedDpcs + - PsCreateSystemThread + - ExSystemTimeToLocalTime + - _vsnprintf + - KeInsertQueueDpc + - RtlTimeToTimeFields + - PsThreadType + - PsGetCurrentThreadId + - InterlockedPushEntrySList + - PsProcessType + - PsLookupProcessByProcessId + - _wcsnicmp + - PsGetProcessInheritedFromUniqueProcessId + - ZwOpenProcess + - RtlInitUnicodeString + - RtlCopyUnicodeString + - MmIsAddressValid + - ZwTerminateProcess + - ObOpenObjectByPointer + - PsGetProcessId + - RtlAppendUnicodeToString + - ZwQuerySymbolicLinkObject + - ZwOpenSymbolicLinkObject + - KeClearEvent + - IoDeleteSymbolicLink + - KeResetEvent + - IoCreateNotificationEvent + - KeSetPriorityThread + - IoDeleteDevice + - KeSetTimerEx + - PsTerminateSystemThread + - IofCompleteRequest + - IoCreateSymbolicLink + - IoCreateDevice + - KeInitializeTimerEx + - KeCancelTimer + - ExFreePoolWithTag + - ZwQueryInformationProcess + - ExAllocatePoolWithTag + - memcpy + - _except_handler3 + - memset + - _alldiv + - KeGetCurrentIrql + - KfReleaseSpinLock + - KfAcquireSpinLock + ExportedFunctions: '' + MD5: 1585d3eda733dfe42202bb98f95f7f5d + SHA1: 8a0d8b31fc2cdc44cb5a8547b7a63600307dd2d4 + SHA256: 1aed62a63b4802e599bbd33162319129501d603cceeb5e1eb22fd4733b3018a3 + Imphash: d5b8227536ae03b96e542a52b80aab47 + Machine: I386 + MagicHeader: 50 45 0 0 + CreationTimestamp: '2020-10-15 00:28:23' + RichPEHeaderMD5: 2e2215b2069ed96fcec4649c25ecce07 + RichPEHeaderSHA1: f2dea0094772b0451202d789ab6f4e440a5dbb62 + RichPEHeaderSHA256: 65ad8fd2d58ed83b8f95fcc50f82a9aef53c7db80c072589b30194f15776a3e7 + AuthentihashMD5: 327bac48ef5c3162aaf555878ef89338 + AuthentihashSHA1: 3653d167ffa47da551267c179a4b4f23430271b7 + AuthentihashSHA256: 2e100aa891445f18f4805dced7c4055aa5bee6c65995daa42a438349ccad6c3c + Sections: + .text: + Entropy: 6.2825078531618965 + Virtual Size: '0x1d50' + .rdata: + Entropy: 4.946960370494769 + Virtual Size: '0x7d4' + .data: + Entropy: 0.08153941234324169 + Virtual Size: '0x2028' + INIT: + Entropy: 5.25825107827808 + Virtual Size: '0x644' + .reloc: + Entropy: 5.019721571589309 + Virtual Size: '0x36a' + CompanyName: '' + FileDescription: '' + InternalName: '' + OriginalFilename: '' + FileVersion: '' + ProductName: '' + LegalCopyright: '' + ProductVersion: '' + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root + CA + ValidFrom: '2011-04-15 19:41:37' + ValidTo: '2021-04-15 19:51:37' + Signature: 5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611cb28a000000000026 + Version: 3 + TBS: + MD5: 983a0c315a50542362f2bd6a5d71c8d0 + SHA1: 8047f476001f5cb16a661d2a3fd0c3576168f5e2 + SHA256: 5f6a519ed2e35cd0fa1cdfc90f4387162c36287bbf9e4d6648251d99542a9e83 + SHA384: 5f014b60511ddab3247ef0b3c03fe82c622237ba76015e2911d1adc50dc632d56ebd1ee532f3c2b6cbfe68d80a2c91dc + - Subject: C=CN, ST=Zhejiang, L=Hangzhou, O=Hangzhou Shunwang Technology Co.,Ltd, + CN=Hangzhou Shunwang Technology Co.,Ltd + ValidFrom: '2019-12-27 00:00:00' + ValidTo: '2022-01-05 12:00:00' + Signature: 8147595b1b5b5c15cfd34eecc1af73a408dc6afb70b254cbe0654771d89947c98cc92708e61d9c5fdf3b6d13b1047bc00933dce01c24169068f5e02063f15d9ae5ae7c64e5baf373104c34fe57f2ac98410d6fc887fa42e20df6f4cd12f9ffd540eaa9111d6680e174c58f8a5f09b17c8f5b878f329c7c3b335484fb983cb2307a379dcfd4d4d5dac493f7f667491338b2213a761f7fa20376915597d6ae2015d69d43f4711356943cc08c7e5a4b1ce4bf0c69ea30d5154d59b08717b8330495a1e92383a12b96dce692aa2689d20ee3372e73b24049bc9c1d541f2227d4d411ba2f4785943ebb608bcafc8db1ffc1236b52ee833b3ede42535dc2d1710f62de + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0b1e1774fd8f4ea3d7ff1381fb73da92 + Version: 3 + TBS: + MD5: 7024d0a6b5e55936a7935914788421d5 + SHA1: efab40dd88bfe8550db10f51a4cbcfc9cea76af0 + SHA256: 4650e6e700bafb42b77d1928f425cc0f94bd24d59bbac383d3cc69a2900258d6 + SHA384: c177df2dd65d446edd0fff9d5ee9be89d732081ff103ae7cf067b3e118636595a5620d209a4636fb470ef6ed42b83d8e + - Subject: C=US, O=DigiCert, CN=DigiCert Timestamp Responder + ValidFrom: '2014-10-22 00:00:00' + ValidTo: '2024-10-22 00:00:00' + Signature: 9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 03019a023aff58b16bd6d5eae617f066 + Version: 3 + TBS: + MD5: a752afee44f017e8d74e3f3eb7914ae3 + SHA1: 8eca80a6b80e9c69dcef7745748524afb8019e2d + SHA256: 82560fa7efec30b5ff82af643e6f3bf3d46868bbd5e7d76f93db185e9e3553a1 + SHA384: e8b11408c88f877ade4ca51114a175fb5dfd2d18d2a66be547c1c9e080fa8f592c7870e30dfab1c04d234993dd0907f3 + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code + Signing CA,1 + ValidFrom: '2011-02-11 12:00:00' + ValidTo: '2026-02-10 12:00:00' + Signature: 7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0fa8490615d700a0be2176fdc5ec6dbd + Version: 3 + TBS: + MD5: a9a31555bbc92b6033975c5428fb3679 + SHA1: 47f4b9898631773231b32844ec0d49990ac4eb1e + SHA256: c826846e4b1d73edb7561ab1b41c949354e237a91e82fe1be5b7e2e1701f52d1 + SHA384: 86f49574f368a561914a52d7ae043ec6784ef8c718960700f834e123594605d25d39f1ad45f1eb5052c9567f3edd0e16 + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1 + ValidFrom: '2006-11-10 00:00:00' + ValidTo: '2021-11-10 00:00:00' + Signature: 46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 06fdf9039603adea000aeb3f27bbba1b + Version: 3 + TBS: + MD5: 4e5ad189638cf52ba9cd881d4d44668c + SHA1: cdc115e98d798b33904c820d63cc1e1afc19251d + SHA256: 37560fb9d548ab62cc3ed4669a4ab74828b5a108e67e829937ffb2d10a5f78dd + SHA384: 173bfb77183785621ef15f43ea807338cea6a02e8183317d9ef050c7237adda3fa2a5bdcd5a4c96da9f2c55900675b9f + Signer: + - SerialNumber: 0b1e1774fd8f4ea3d7ff1381fb73da92 + Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code + Signing CA,1 + Version: 1 + Authentihash: + MD5: 327bac48ef5c3162aaf555878ef89338 + SHA1: 3653d167ffa47da551267c179a4b4f23430271b7 + SHA256: 2e100aa891445f18f4805dced7c4055aa5bee6c65995daa42a438349ccad6c3c + RichPEHeaderHash: + MD5: 2e2215b2069ed96fcec4649c25ecce07 + SHA1: f2dea0094772b0451202d789ab6f4e440a5dbb62 + SHA256: 65ad8fd2d58ed83b8f95fcc50f82a9aef53c7db80c072589b30194f15776a3e7 + Description: '' + Company: '' + Product: '' + Copyright: '' + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll +- Filename: rentdrv2.sys + Libraries: + - ntoskrnl.exe + ImportedFunctions: + - RtlInitUnicodeString + - KeSetEvent + - KeInitializeEvent + - ZwCreateFile + - ExAllocatePool + - ZwClose + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - ObfDereferenceObject + - ZwWriteFile + - DbgPrint + - InitializeSListHead + - ExpInterlockedPushEntrySList + - KeInitializeDpc + - KeReleaseSpinLock + - ExpInterlockedPopEntrySList + - ZwWaitForSingleObject + - KeFlushQueuedDpcs + - PsCreateSystemThread + - ExSystemTimeToLocalTime + - _vsnprintf + - KeInsertQueueDpc + - RtlTimeToTimeFields + - PsThreadType + - PsGetCurrentThreadId + - KeAcquireSpinLockRaiseToDpc + - PsProcessType + - PsLookupProcessByProcessId + - _wcsnicmp + - ExFreePoolWithTag + - ZwOpenProcess + - ZwQueryInformationProcess + - RtlCopyUnicodeString + - MmIsAddressValid + - ZwTerminateProcess + - ObOpenObjectByPointer + - PsGetProcessId + - RtlAppendUnicodeToString + - ZwQuerySymbolicLinkObject + - ZwOpenSymbolicLinkObject + - KeDelayExecutionThread + - ZwQuerySystemInformation + - KeBugCheckEx + - KeClearEvent + - IoDeleteSymbolicLink + - KeResetEvent + - IoCreateNotificationEvent + - KeSetPriorityThread + - IoDeleteDevice + - KeSetTimerEx + - PsTerminateSystemThread + - IofCompleteRequest + - IoCreateSymbolicLink + - IoCreateDevice + - KeInitializeTimerEx + - KeCancelTimer + - PsGetProcessInheritedFromUniqueProcessId + - ExAllocatePoolWithTag + - __C_specific_handler + ExportedFunctions: '' + MD5: 5fea22f442e7fd34a54008e363446d13 + SHA1: 67d17ca90880b448d5c3b40f69cec04d3649f170 + SHA256: 9165d4f3036919a96b86d24b64d75d692802c7513f2b3054b20be40c212240a5 + Imphash: 1fb8e85267a70537d661f9df2fc215ac + Machine: AMD64 + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-01-17 01:17:14' + RichPEHeaderMD5: df57763699cf5115bb47b14154391019 + RichPEHeaderSHA1: cdf22aa848a0e173ed5aa1fef4ca77eea65b9403 + RichPEHeaderSHA256: cf67066a7ed3bb69752ec5fc482e9d74f8bcff9683a417db05eeab1484cefea1 + AuthentihashMD5: b0c6112ed0f7a1544320e96c4e28dfaf + AuthentihashSHA1: cebe563de888ee2055ba03051010a40705e778c8 + AuthentihashSHA256: b3c9af8c4be8f62d25b955f92d2a4e9ebd34f7fa787580454ef54241102e7b30 + Sections: + .text: + Entropy: 6.09672981622707 + Virtual Size: '0x321a' + .rdata: + Entropy: 5.113705056700047 + Virtual Size: '0x117c' + .data: + Entropy: 0.0 + Virtual Size: '0x2038' + .pdata: + Entropy: 4.257063691646188 + Virtual Size: '0x3fc' + INIT: + Entropy: 4.964146055158324 + Virtual Size: '0x720' + CompanyName: '' + FileDescription: '' + InternalName: '' + OriginalFilename: '' + FileVersion: '' + ProductName: '' + LegalCopyright: '' + ProductVersion: '' + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Hardware Compatibility Publisher + ValidFrom: '2022-06-07 18:08:06' + ValidTo: '2023-06-01 18:08:06' + Signature: 0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322 + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: false + SerialNumber: 3300000057ee4d659a923e7c10000000000057 + Version: 3 + TBS: + MD5: fdc11a5676aed4e9cc0c09eeb7450dfb + SHA1: 4902077d9a05d4231b791d3b05bafa4a79132f03 + SHA256: 5db56c23d83bf67c7152e28ad4a684a7372b4ae4f52afe7a81ce91eef94caec3 + SHA384: c952d7f0e0ea5216ce4400601fb7c0829f0f3fcd6eb2b5b9112fbe45d133e00c4abd660f8e1794f7ac4ef95123e2c0ab + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2014 + ValidFrom: '2014-10-15 20:31:27' + ValidTo: '2029-10-15 20:41:27' + Signature: 96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: true + SerialNumber: 330000000d690d5d7893d076df00000000000d + Version: 3 + TBS: + MD5: 83f69422963f11c3c340b81712eef319 + SHA1: 0c5e5f24590b53bc291e28583acb78e5adc95601 + SHA256: d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae + SHA384: 260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63 + Signer: + - SerialNumber: 3300000057ee4d659a923e7c10000000000057 + Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2014 + Version: 1 + Authentihash: + MD5: b0c6112ed0f7a1544320e96c4e28dfaf + SHA1: cebe563de888ee2055ba03051010a40705e778c8 + SHA256: b3c9af8c4be8f62d25b955f92d2a4e9ebd34f7fa787580454ef54241102e7b30 + RichPEHeaderHash: + MD5: df57763699cf5115bb47b14154391019 + SHA1: cdf22aa848a0e173ed5aa1fef4ca77eea65b9403 + SHA256: cf67066a7ed3bb69752ec5fc482e9d74f8bcff9683a417db05eeab1484cefea1 + Description: '' + Company: '' + Product: '' + Copyright: '' + MachineType: AMD64 + Imports: + - ntoskrnl.exe +Tags: +- rentdrv2.sys diff --git a/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml b/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml index fd34f0c7b..5d5f92151 100644 --- a/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml +++ b/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml @@ -155,7 +155,7 @@ KnownVulnerableSamples: Windows Third Party Component CA 2014 Version: 1 Imphash: a94892b77a6474429b9f692d9952a9d5 -- Filename: 'echodriver' +- Filename: echodriver Libraries: - ntoskrnl.exe - WDFLDR.SYS @@ -273,7 +273,7 @@ KnownVulnerableSamples: Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014 Version: 1 -- Filename: 'echodriver.sys' +- Filename: echodriver.sys Libraries: - cng.sys - ntoskrnl.exe diff --git a/yaml/e0e93453-1007-4799-ad02-9b461b7e0398.yaml b/yaml/e0e93453-1007-4799-ad02-9b461b7e0398.yaml index ae6e19e7f..0e022ab4c 100644 --- a/yaml/e0e93453-1007-4799-ad02-9b461b7e0398.yaml +++ b/yaml/e0e93453-1007-4799-ad02-9b461b7e0398.yaml @@ -25,7 +25,7 @@ Acknowledgement: Handle: '' Detection: [] KnownVulnerableSamples: -- Filename: 'Truesight' +- Filename: Truesight Libraries: - ntoskrnl.exe ImportedFunctions: @@ -198,5 +198,20 @@ KnownVulnerableSamples: - SerialNumber: 169d2c94309c0380414bcfdd93a6b27d Issuer: C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA EV R36 Version: 1 + Authentihash: + MD5: 7ac40b0bee0d9b6e84d58d567e82e736 + SHA1: 13c6de4203098a8017a0bd4c4da98f6d547482bb + SHA256: 891ad430e7f1d58ef85b437505a6016fa99a72abcfd4734476efc5fc1fcd1cba + RichPEHeaderHash: + MD5: 2aa941242ce069665648272f38f01e61 + SHA1: 27a430c07c51453e908a94ae3e2640dc733030e3 + SHA256: 78b94bc1db7ed451dff0467fac7a5e568a1d35f9cabcffbdb4690c13719861bb + Description: RogueKiller Antirootkit Driver + Company: Adlice Software + Product: Truesight + Copyright: Copyright Adlice Software(C) 2023 + MachineType: AMD64 + Imports: + - ntoskrnl.exe Tags: - truesight.sys From f6148e2a9e3dbd11cf3a8845c62f79688794aefd Mon Sep 17 00:00:00 2001 From: The Haag <5632822+MHaggis@users.noreply.github.com> Date: Sat, 2 Dec 2023 09:29:09 -0700 Subject: [PATCH 6/8] echo --- drivers/9aaace20135ff49aaccce80ad645a6ad.bin | 3 + .../afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml | 197 ++++++++++++++++++ 2 files changed, 200 insertions(+) create mode 100644 drivers/9aaace20135ff49aaccce80ad645a6ad.bin diff --git a/drivers/9aaace20135ff49aaccce80ad645a6ad.bin b/drivers/9aaace20135ff49aaccce80ad645a6ad.bin new file mode 100644 index 000000000..ce5d52286 --- /dev/null +++ b/drivers/9aaace20135ff49aaccce80ad645a6ad.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:09bbf3f87a8b322465b3f5c5d7784e83a3b166854dbed30e4a46ddb8c31b2c09 +size 23629 diff --git a/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml b/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml index 5d5f92151..878aa48e6 100644 --- a/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml +++ b/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml @@ -414,6 +414,203 @@ KnownVulnerableSamples: Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014 Version: 1 +- Filename: echo.sys + Libraries: + - ntoskrnl.exe + - HAL.dll + ImportedFunctions: + - KeSetEvent + - KeInitializeEvent + - ZwCreateFile + - ExAllocatePool + - KeGetCurrentThread + - ZwClose + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - ObfDereferenceObject + - ZwWriteFile + - DbgPrint + - KeInitializeDpc + - InterlockedPopEntrySList + - KeQuerySystemTime + - ZwWaitForSingleObject + - KeFlushQueuedDpcs + - PsCreateSystemThread + - ExSystemTimeToLocalTime + - _vsnprintf + - KeInsertQueueDpc + - RtlTimeToTimeFields + - PsThreadType + - PsGetCurrentThreadId + - InterlockedPushEntrySList + - PsProcessType + - PsLookupProcessByProcessId + - _wcsnicmp + - PsGetProcessInheritedFromUniqueProcessId + - ZwOpenProcess + - RtlInitUnicodeString + - RtlCopyUnicodeString + - MmIsAddressValid + - ZwTerminateProcess + - ObOpenObjectByPointer + - PsGetProcessId + - RtlAppendUnicodeToString + - ZwQuerySymbolicLinkObject + - ZwOpenSymbolicLinkObject + - KeClearEvent + - IoDeleteSymbolicLink + - KeResetEvent + - IoCreateNotificationEvent + - KeSetPriorityThread + - IoDeleteDevice + - KeSetTimerEx + - PsTerminateSystemThread + - IofCompleteRequest + - IoCreateSymbolicLink + - IoCreateDevice + - KeInitializeTimerEx + - KeCancelTimer + - ExFreePoolWithTag + - ZwQueryInformationProcess + - ExAllocatePoolWithTag + - memcpy + - _except_handler3 + - memset + - _alldiv + - KeGetCurrentIrql + - KfReleaseSpinLock + - KfAcquireSpinLock + ExportedFunctions: '' + MD5: 1585d3eda733dfe42202bb98f95f7f5d + SHA1: 8a0d8b31fc2cdc44cb5a8547b7a63600307dd2d4 + SHA256: 1aed62a63b4802e599bbd33162319129501d603cceeb5e1eb22fd4733b3018a3 + Imphash: d5b8227536ae03b96e542a52b80aab47 + Machine: I386 + MagicHeader: 50 45 0 0 + CreationTimestamp: '2020-10-15 00:28:23' + RichPEHeaderMD5: 2e2215b2069ed96fcec4649c25ecce07 + RichPEHeaderSHA1: f2dea0094772b0451202d789ab6f4e440a5dbb62 + RichPEHeaderSHA256: 65ad8fd2d58ed83b8f95fcc50f82a9aef53c7db80c072589b30194f15776a3e7 + AuthentihashMD5: 327bac48ef5c3162aaf555878ef89338 + AuthentihashSHA1: 3653d167ffa47da551267c179a4b4f23430271b7 + AuthentihashSHA256: 2e100aa891445f18f4805dced7c4055aa5bee6c65995daa42a438349ccad6c3c + Sections: + .text: + Entropy: 6.2825078531618965 + Virtual Size: '0x1d50' + .rdata: + Entropy: 4.946960370494769 + Virtual Size: '0x7d4' + .data: + Entropy: 0.08153941234324169 + Virtual Size: '0x2028' + INIT: + Entropy: 5.25825107827808 + Virtual Size: '0x644' + .reloc: + Entropy: 5.019721571589309 + Virtual Size: '0x36a' + CompanyName: '' + FileDescription: '' + InternalName: '' + OriginalFilename: '' + FileVersion: '' + ProductName: '' + LegalCopyright: '' + ProductVersion: '' + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root + CA + ValidFrom: '2011-04-15 19:41:37' + ValidTo: '2021-04-15 19:51:37' + Signature: 5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 611cb28a000000000026 + Version: 3 + TBS: + MD5: 983a0c315a50542362f2bd6a5d71c8d0 + SHA1: 8047f476001f5cb16a661d2a3fd0c3576168f5e2 + SHA256: 5f6a519ed2e35cd0fa1cdfc90f4387162c36287bbf9e4d6648251d99542a9e83 + SHA384: 5f014b60511ddab3247ef0b3c03fe82c622237ba76015e2911d1adc50dc632d56ebd1ee532f3c2b6cbfe68d80a2c91dc + - Subject: C=CN, ST=Zhejiang, L=Hangzhou, O=Hangzhou Shunwang Technology Co.,Ltd, + CN=Hangzhou Shunwang Technology Co.,Ltd + ValidFrom: '2019-12-27 00:00:00' + ValidTo: '2022-01-05 12:00:00' + Signature: 8147595b1b5b5c15cfd34eecc1af73a408dc6afb70b254cbe0654771d89947c98cc92708e61d9c5fdf3b6d13b1047bc00933dce01c24169068f5e02063f15d9ae5ae7c64e5baf373104c34fe57f2ac98410d6fc887fa42e20df6f4cd12f9ffd540eaa9111d6680e174c58f8a5f09b17c8f5b878f329c7c3b335484fb983cb2307a379dcfd4d4d5dac493f7f667491338b2213a761f7fa20376915597d6ae2015d69d43f4711356943cc08c7e5a4b1ce4bf0c69ea30d5154d59b08717b8330495a1e92383a12b96dce692aa2689d20ee3372e73b24049bc9c1d541f2227d4d411ba2f4785943ebb608bcafc8db1ffc1236b52ee833b3ede42535dc2d1710f62de + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 0b1e1774fd8f4ea3d7ff1381fb73da92 + Version: 3 + TBS: + MD5: 7024d0a6b5e55936a7935914788421d5 + SHA1: efab40dd88bfe8550db10f51a4cbcfc9cea76af0 + SHA256: 4650e6e700bafb42b77d1928f425cc0f94bd24d59bbac383d3cc69a2900258d6 + SHA384: c177df2dd65d446edd0fff9d5ee9be89d732081ff103ae7cf067b3e118636595a5620d209a4636fb470ef6ed42b83d8e + - Subject: C=US, O=DigiCert, CN=DigiCert Timestamp Responder + ValidFrom: '2014-10-22 00:00:00' + ValidTo: '2024-10-22 00:00:00' + Signature: 9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: false + SerialNumber: 03019a023aff58b16bd6d5eae617f066 + Version: 3 + TBS: + MD5: a752afee44f017e8d74e3f3eb7914ae3 + SHA1: 8eca80a6b80e9c69dcef7745748524afb8019e2d + SHA256: 82560fa7efec30b5ff82af643e6f3bf3d46868bbd5e7d76f93db185e9e3553a1 + SHA384: e8b11408c88f877ade4ca51114a175fb5dfd2d18d2a66be547c1c9e080fa8f592c7870e30dfab1c04d234993dd0907f3 + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code + Signing CA,1 + ValidFrom: '2011-02-11 12:00:00' + ValidTo: '2026-02-10 12:00:00' + Signature: 7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 0fa8490615d700a0be2176fdc5ec6dbd + Version: 3 + TBS: + MD5: a9a31555bbc92b6033975c5428fb3679 + SHA1: 47f4b9898631773231b32844ec0d49990ac4eb1e + SHA256: c826846e4b1d73edb7561ab1b41c949354e237a91e82fe1be5b7e2e1701f52d1 + SHA384: 86f49574f368a561914a52d7ae043ec6784ef8c718960700f834e123594605d25d39f1ad45f1eb5052c9567f3edd0e16 + - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1 + ValidFrom: '2006-11-10 00:00:00' + ValidTo: '2021-11-10 00:00:00' + Signature: 46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 06fdf9039603adea000aeb3f27bbba1b + Version: 3 + TBS: + MD5: 4e5ad189638cf52ba9cd881d4d44668c + SHA1: cdc115e98d798b33904c820d63cc1e1afc19251d + SHA256: 37560fb9d548ab62cc3ed4669a4ab74828b5a108e67e829937ffb2d10a5f78dd + SHA384: 173bfb77183785621ef15f43ea807338cea6a02e8183317d9ef050c7237adda3fa2a5bdcd5a4c96da9f2c55900675b9f + Signer: + - SerialNumber: 0b1e1774fd8f4ea3d7ff1381fb73da92 + Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code + Signing CA,1 + Version: 1 + Authentihash: + MD5: 327bac48ef5c3162aaf555878ef89338 + SHA1: 3653d167ffa47da551267c179a4b4f23430271b7 + SHA256: 2e100aa891445f18f4805dced7c4055aa5bee6c65995daa42a438349ccad6c3c + RichPEHeaderHash: + MD5: 2e2215b2069ed96fcec4649c25ecce07 + SHA1: f2dea0094772b0451202d789ab6f4e440a5dbb62 + SHA256: 65ad8fd2d58ed83b8f95fcc50f82a9aef53c7db80c072589b30194f15776a3e7 + Description: '' + Company: '' + Product: '' + Copyright: '' + MachineType: I386 + Imports: + - ntoskrnl.exe + - HAL.dll MitreID: T1134 Resources: - https://ioctl.fail/echo-ac-writeup/ From 7bbcb06ffcaa0834d5e3b4fd30c29da0c9a3e9ce Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 22 Dec 2023 01:42:20 +0100 Subject: [PATCH 7/8] delete duplicate file --- .../0ae44ce5-cffb-485d-9dd4-732e15882ecc.yaml | 217 ------------------ .../e0e93453-1007-4799-ad02-9b461b7e0398.yaml | 4 +- 2 files changed, 2 insertions(+), 219 deletions(-) delete mode 100644 yaml/0ae44ce5-cffb-485d-9dd4-732e15882ecc.yaml diff --git a/yaml/0ae44ce5-cffb-485d-9dd4-732e15882ecc.yaml b/yaml/0ae44ce5-cffb-485d-9dd4-732e15882ecc.yaml deleted file mode 100644 index fc822fb5e..000000000 --- a/yaml/0ae44ce5-cffb-485d-9dd4-732e15882ecc.yaml +++ /dev/null @@ -1,217 +0,0 @@ -Id: 0ae44ce5-cffb-485d-9dd4-732e15882ecc -Author: Michael Haag -Created: '2023-11-29' -MitreID: T1068 -Category: vulnerable driver -Verified: 'TRUE' -Commands: - Command: sc.exe create truesight.sys binPath=C:\windows\temp\truesight.sys type=kernel - && sc.exe start truesight.sys - Description: This is a C# AV/EDR Killer using Rogue Anti-Malware Driver 3.3. This - driver is not present in the loldrivers or Windows blocklist at the time of this - writing. The only reason I'm making this public is because the company has already - published a fix in version 3.4, and Microsoft will likely block this driver soon. - This driver can be used in Windows 23H2 with HVCI enabled, loldrivers blocklist, - or WDAC enabled. HVCI is designed to ensure the integrity of code executed in - the kernel, but it cannot protect against all possible vulnerabilities or actions - that can be performed through drivers or system interfaces. - Usecase: Elevate privileges - Privileges: kernel - OperatingSystem: Windows 10 -Resources: -- https://github.com/ph4nt0mbyt3/Darkside -Acknowledgement: - Person: '' - Handle: '' -Detection: [] -KnownVulnerableSamples: -- Filename: Truesight - Libraries: - - ntoskrnl.exe - ImportedFunctions: - - ExFreePoolWithTag - - RtlInitUnicodeString - - RtlGetVersion - - IofCompleteRequest - - IoCreateSymbolicLink - - IoDeleteDevice - - IoDeleteSymbolicLink - - __C_specific_handler - - MmGetSystemRoutineAddress - - ZwClose - - ZwSetSecurityObject - - IoDeviceObjectType - - IoCreateDevice - - ObOpenObjectByPointer - - RtlGetDaclSecurityDescriptor - - RtlGetGroupSecurityDescriptor - - RtlGetOwnerSecurityDescriptor - - RtlGetSaclSecurityDescriptor - - SeCaptureSecurityDescriptor - - _snwprintf - - RtlLengthSecurityDescriptor - - SeExports - - RtlCreateSecurityDescriptor - - _wcsnicmp - - ExAllocatePoolWithTag - - wcschr - - RtlAbsoluteToSelfRelativeSD - - RtlAddAccessAllowedAce - - RtlLengthSid - - IoIsWdmVersionAvailable - - RtlSetDaclSecurityDescriptor - - ZwOpenKey - - ZwSetValueKey - - ZwQueryValueKey - - ZwCreateKey - - RtlFreeUnicodeString - - KeInitializeEvent - - KeResetEvent - - KeSetEvent - - KeWaitForSingleObject - - ObfDereferenceObject - - PsGetCurrentThreadId - - RtlCaptureStackBackTrace - - PsLookupThreadByThreadId - - KeInitializeApc - - KeInsertQueueApc - - _wcsicmp - - IoGetDeviceObjectPointer - - ObReferenceObjectByHandle - - MmIsAddressValid - - ObQueryNameString - - ZwOpenDirectoryObject - - ZwQueryDirectoryObject - - ObOpenObjectByName - - IoDriverObjectType - - ZwTerminateProcess - - ZwOpenProcess - - ZwQuerySystemInformation - - ZwDeleteKey - - ZwEnumerateKey - - ZwQueryKey - - IoAllocateIrp - - IofCallDriver - - IoCreateFile - - IoFreeIrp - - IoGetRelatedDeviceObject - - IoGetAttachedDevice - - IoFileObjectType - - MmProbeAndLockPages - - MmUnlockPages - - MmMapLockedPagesSpecifyCache - - IoAllocateMdl - - IoFreeMdl - - KeBugCheckEx - ExportedFunctions: '' - MD5: f53fa44c7b591a2be105344790543369 - SHA1: 363068731e87bcee19ad5cb802e14f9248465d31 - SHA256: bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c - Imphash: b95bc1a99081d695b1c0b37b90a4a0be - Machine: AMD64 - MagicHeader: 50 45 0 0 - CreationTimestamp: '2023-08-29 06:07:25' - RichPEHeaderMD5: 2aa941242ce069665648272f38f01e61 - RichPEHeaderSHA1: 27a430c07c51453e908a94ae3e2640dc733030e3 - RichPEHeaderSHA256: 78b94bc1db7ed451dff0467fac7a5e568a1d35f9cabcffbdb4690c13719861bb - AuthentihashMD5: 7ac40b0bee0d9b6e84d58d567e82e736 - AuthentihashSHA1: 13c6de4203098a8017a0bd4c4da98f6d547482bb - AuthentihashSHA256: 891ad430e7f1d58ef85b437505a6016fa99a72abcfd4734476efc5fc1fcd1cba - Sections: - .text: - Entropy: 6.252847617016488 - Virtual Size: '0x2dd4' - .rdata: - Entropy: 4.696875660287618 - Virtual Size: '0x1184' - .data: - Entropy: 2.44485563156831 - Virtual Size: '0x320' - .pdata: - Entropy: 4.30658373083434 - Virtual Size: '0x444' - PAGE: - Entropy: 6.246280479657509 - Virtual Size: '0x1cbc' - INIT: - Entropy: 5.52229514751666 - Virtual Size: '0xb14' - .rsrc: - Entropy: 3.2891744328822803 - Virtual Size: '0x3e0' - .reloc: - Entropy: 4.191806540004825 - Virtual Size: '0x6c' - CompanyName: Adlice Software - FileDescription: RogueKiller Antirootkit Driver - InternalName: Truesight - OriginalFilename: Truesight - FileVersion: 3.3.0 - ProductName: Truesight - LegalCopyright: Copyright Adlice Software(C) 2023 - ProductVersion: 3.3.0 - Signatures: - - CertificatesInfo: '' - SignerInfo: '' - Certificates: - - Subject: C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing Root R46 - ValidFrom: '2021-05-25 00:00:00' - ValidTo: '2028-12-31 23:59:59' - Signature: 12bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8 - SignatureAlgorithmOID: 1.2.840.113549.1.1.12 - IsCertificateAuthority: true - SerialNumber: 48fc93b46055948d36a7c98a89d69416 - Version: 3 - TBS: - MD5: 207045ce7b7ab131e78e459b13825902 - SHA1: bcf7530a1ab309fb1926cb720f9fd58cff1cb88f - SHA256: 0f31a4237992e1ea623baf4c29480afb6d913e10f1fb1d56bb56f5b03fbff13b - SHA384: a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a4 - - Subject: C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA EV R36 - ValidFrom: '2021-03-22 00:00:00' - ValidTo: '2036-03-21 23:59:59' - Signature: 5f36acfbf9f6725a14b7f00b1dded8fd9701d2fd01ee992d86e8f6b7f039ffd6814a5aa7424a0a2d159de694fdc5694ab2d74bf116124cf6be9066658b2d74d4ab08f76a110308777cbe69e1b0db9f248903d6de5ca4e0b2d6b4cfe338d5b96dcc27d6ce6411e8107276d3f9e0e92c89e949d3b39796060ae1f60ac8419a915d81d8367798ca804197a8f8913f639faacd54544b80eaf51766d39471fd9efd4731e3e91a861dd3be20d23fb1525fb293bd8c950998728f9501f49843a54afb1426aa9d36bf72b0fcdcbd840deced34a85e952b3816630575d9f6312e156be294b22ad27435b5989aa3fef82b2fb6174b276c5ae6b9765eda86ddab64d66aea8318881b3182f588b39425c0212f086902e34cbb4c2a1130eb817906e141952ad420f60b93e47c760c9d1d266b5f8401f62a99cdafdec7f0e418a24e9b2f2a0c66a6927526bed94035136faea6371a7ae8ad1c5163072a56066ced7e18f6e3ec6473a66d08368baf0f99ae756b172bc24d6ac351464156e98fc28dff13719bdaed9ed39fabe545a612c5145a524197a3060008c5e61cea27823c3bdbe646c4ef2d003513cd367d9de5aa270805cccec0360e4b194fd0639a6dbfc529533122db75507786d0f2f86aee6b061b3e85232b97c87e7a99410cdd587f0ea8c3123d3a359be09d2c8c17815444a87a1d989d967f5958a65465ff51420bf847ebcff8e5bf - SignatureAlgorithmOID: 1.2.840.113549.1.1.12 - IsCertificateAuthority: true - SerialNumber: 33d708a891405319e2a5bbd339b9ad6e - Version: 3 - TBS: - MD5: b81404c775a2621debdb7825b87b8316 - SHA1: 47ae94067c3c59b13605192288705db7b52f3685 - SHA256: 9893b35b3dcefe53d8d24b887569dfe21f9aef27bd57b61c06fcf7438b89c33a - SHA384: f55821c081b58e86eaa202923e715e1524c422c7be0469b13a9e7a319e50d70cb5b67e864273029a79250f9dc3203cbd - - Subject: serialNumber=793 308 925 00023, ??=FR, ??=Business Entity, C=FR, ST=Loire,Atlantique, - O=ADLICE (Julien Ascoet), CN=ADLICE (Julien Ascoet) - ValidFrom: '2023-08-15 00:00:00' - ValidTo: '2024-08-14 23:59:59' - Signature: 04f4980a1b9a8fb8a438ee112ac21f74a5c9bf55f89a5f062d396b5d22d1cd7b9dbf6b7996f55adaef68f86a07ce3ba651b9dc153405b3549e1c9617ab2c46ca7d9abd3afe0ef122d6d3ac1fff593df06e036c61a28ff898c8e75bd98d9298601052d8e0f70c663bbdf70434d136fffe0967e3eb7a4cb0b05a0f00f69b2db92ab1bf86c26b27a0de569625474be0e7b2702416d469fa1a672396143f3c4fdc2d2138ae6eb432ce2fef6f383e568c522c21bb8ffe7869443944e389dd45a86ea31e975656ad549e2234a722419feaf5c00a021a403db34c43b55567a63ab4ad4654931c9ebb8405476c1fc3f350086717b25682a299af26b422682ba1c91da04d4f4dd10104d212947d6b5dd0a5823cb4457f81f14cd634de20b7befe1d6b5720ca2a54fb093bcf48742bbd35eff947e761da2afcef3ef49c4ceef3890a49e14219a1c7c519b363b2260247b8e5a718ed7bc3ba6d35c7f67782602168f4fc4fc96cb94f8669147e071a4d06b591ba9ba50689477df97f3d6cccdcf809f8ef4ced - SignatureAlgorithmOID: 1.2.840.113549.1.1.11 - IsCertificateAuthority: false - SerialNumber: 169d2c94309c0380414bcfdd93a6b27d - Version: 3 - TBS: - MD5: c35e4c3a6f6e5f166c542006132f8c91 - SHA1: 3a3f2daf6898839dd0cf73f3783501106997865a - SHA256: 781c89d3ef2b94bd13394987cc7e7885e3ed34ed39690cf0afb8d650d509ca80 - SHA384: 8f67b3ca1c1cddb236503ef87f52d7ac52e52d1b3c75c91a49709b8ca54487cadd7464dd23568b19413643bfedd69299 - Signer: - - SerialNumber: 169d2c94309c0380414bcfdd93a6b27d - Issuer: C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA EV R36 - Version: 1 - Authentihash: - MD5: 7ac40b0bee0d9b6e84d58d567e82e736 - SHA1: 13c6de4203098a8017a0bd4c4da98f6d547482bb - SHA256: 891ad430e7f1d58ef85b437505a6016fa99a72abcfd4734476efc5fc1fcd1cba - RichPEHeaderHash: - MD5: 2aa941242ce069665648272f38f01e61 - SHA1: 27a430c07c51453e908a94ae3e2640dc733030e3 - SHA256: 78b94bc1db7ed451dff0467fac7a5e568a1d35f9cabcffbdb4690c13719861bb - Description: RogueKiller Antirootkit Driver - Company: Adlice Software - Product: Truesight - Copyright: Copyright Adlice Software(C) 2023 - MachineType: AMD64 - Imports: - - ntoskrnl.exe -Tags: -- truesight.sys diff --git a/yaml/e0e93453-1007-4799-ad02-9b461b7e0398.yaml b/yaml/e0e93453-1007-4799-ad02-9b461b7e0398.yaml index 0e022ab4c..7f7c2488c 100644 --- a/yaml/e0e93453-1007-4799-ad02-9b461b7e0398.yaml +++ b/yaml/e0e93453-1007-4799-ad02-9b461b7e0398.yaml @@ -1,5 +1,5 @@ Id: e0e93453-1007-4799-ad02-9b461b7e0398 -Author: ph4nt0mbyt3 +Author: ph4nt0mbyt3, Michael Haag Created: '2023-11-10' MitreID: T1068 Category: vulnerable driver @@ -15,7 +15,7 @@ Commands: or WDAC enabled. HVCI is designed to ensure the integrity of code executed in the kernel, but it cannot protect against all possible vulnerabilities or actions that can be performed through drivers or system interfaces. - Usecase: AV Killer + Usecase: Elevate privileges Privileges: kernel OperatingSystem: Windows 11 Resources: From 434decd4872e1c372573220e5f25aead1ee3f44d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 22 Dec 2023 01:52:42 +0100 Subject: [PATCH 8/8] delete duplicate --- .../97045c68-a808-4bd5-8873-c94730076f51.yaml | 375 ------------------ .../afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml | 171 +++++++- 2 files changed, 162 insertions(+), 384 deletions(-) delete mode 100644 yaml/97045c68-a808-4bd5-8873-c94730076f51.yaml diff --git a/yaml/97045c68-a808-4bd5-8873-c94730076f51.yaml b/yaml/97045c68-a808-4bd5-8873-c94730076f51.yaml deleted file mode 100644 index fcd1fb6f3..000000000 --- a/yaml/97045c68-a808-4bd5-8873-c94730076f51.yaml +++ /dev/null @@ -1,375 +0,0 @@ -Id: 97045c68-a808-4bd5-8873-c94730076f51 -Author: Michael Haag -Created: '2023-12-02' -MitreID: T1068 -Category: vulnerable driver -Verified: 'TRUE' -Commands: - Command: sc.exe create rentdrv2.sys binPath=C:\windows\temp\rentdrv2.sys type=kernel - && sc.exe start rentdrv2.sys - Description: As the attempt to exploit the GMER driver failed, the attackers tried - arming their drvIX tool. They did so using a different vulnerable driver from - a new publicly available PoC tool called BadRentdrv2, first published in the beginning - of October 2023. - Usecase: Elevate privileges - Privileges: kernel - OperatingSystem: Windows 10 -Resources: -- https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/ -Acknowledgement: - Person: '' - Handle: '' -Detection: [] -KnownVulnerableSamples: -- Filename: rentdrv2.sys - Libraries: - - ntoskrnl.exe - - HAL.dll - ImportedFunctions: - - KeSetEvent - - KeInitializeEvent - - ZwCreateFile - - ExAllocatePool - - KeGetCurrentThread - - ZwClose - - ObReferenceObjectByHandle - - KeWaitForSingleObject - - ObfDereferenceObject - - ZwWriteFile - - DbgPrint - - KeInitializeDpc - - InterlockedPopEntrySList - - KeQuerySystemTime - - ZwWaitForSingleObject - - KeFlushQueuedDpcs - - PsCreateSystemThread - - ExSystemTimeToLocalTime - - _vsnprintf - - KeInsertQueueDpc - - RtlTimeToTimeFields - - PsThreadType - - PsGetCurrentThreadId - - InterlockedPushEntrySList - - PsProcessType - - PsLookupProcessByProcessId - - _wcsnicmp - - PsGetProcessInheritedFromUniqueProcessId - - ZwOpenProcess - - RtlInitUnicodeString - - RtlCopyUnicodeString - - MmIsAddressValid - - ZwTerminateProcess - - ObOpenObjectByPointer - - PsGetProcessId - - RtlAppendUnicodeToString - - ZwQuerySymbolicLinkObject - - ZwOpenSymbolicLinkObject - - KeClearEvent - - IoDeleteSymbolicLink - - KeResetEvent - - IoCreateNotificationEvent - - KeSetPriorityThread - - IoDeleteDevice - - KeSetTimerEx - - PsTerminateSystemThread - - IofCompleteRequest - - IoCreateSymbolicLink - - IoCreateDevice - - KeInitializeTimerEx - - KeCancelTimer - - ExFreePoolWithTag - - ZwQueryInformationProcess - - ExAllocatePoolWithTag - - memcpy - - _except_handler3 - - memset - - _alldiv - - KeGetCurrentIrql - - KfReleaseSpinLock - - KfAcquireSpinLock - ExportedFunctions: '' - MD5: 1585d3eda733dfe42202bb98f95f7f5d - SHA1: 8a0d8b31fc2cdc44cb5a8547b7a63600307dd2d4 - SHA256: 1aed62a63b4802e599bbd33162319129501d603cceeb5e1eb22fd4733b3018a3 - Imphash: d5b8227536ae03b96e542a52b80aab47 - Machine: I386 - MagicHeader: 50 45 0 0 - CreationTimestamp: '2020-10-15 00:28:23' - RichPEHeaderMD5: 2e2215b2069ed96fcec4649c25ecce07 - RichPEHeaderSHA1: f2dea0094772b0451202d789ab6f4e440a5dbb62 - RichPEHeaderSHA256: 65ad8fd2d58ed83b8f95fcc50f82a9aef53c7db80c072589b30194f15776a3e7 - AuthentihashMD5: 327bac48ef5c3162aaf555878ef89338 - AuthentihashSHA1: 3653d167ffa47da551267c179a4b4f23430271b7 - AuthentihashSHA256: 2e100aa891445f18f4805dced7c4055aa5bee6c65995daa42a438349ccad6c3c - Sections: - .text: - Entropy: 6.2825078531618965 - Virtual Size: '0x1d50' - .rdata: - Entropy: 4.946960370494769 - Virtual Size: '0x7d4' - .data: - Entropy: 0.08153941234324169 - Virtual Size: '0x2028' - INIT: - Entropy: 5.25825107827808 - Virtual Size: '0x644' - .reloc: - Entropy: 5.019721571589309 - Virtual Size: '0x36a' - CompanyName: '' - FileDescription: '' - InternalName: '' - OriginalFilename: '' - FileVersion: '' - ProductName: '' - LegalCopyright: '' - ProductVersion: '' - Signatures: - - CertificatesInfo: '' - SignerInfo: '' - Certificates: - - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root - CA - ValidFrom: '2011-04-15 19:41:37' - ValidTo: '2021-04-15 19:51:37' - Signature: 5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8 - SignatureAlgorithmOID: 1.2.840.113549.1.1.5 - IsCertificateAuthority: true - SerialNumber: 611cb28a000000000026 - Version: 3 - TBS: - MD5: 983a0c315a50542362f2bd6a5d71c8d0 - SHA1: 8047f476001f5cb16a661d2a3fd0c3576168f5e2 - SHA256: 5f6a519ed2e35cd0fa1cdfc90f4387162c36287bbf9e4d6648251d99542a9e83 - SHA384: 5f014b60511ddab3247ef0b3c03fe82c622237ba76015e2911d1adc50dc632d56ebd1ee532f3c2b6cbfe68d80a2c91dc - - Subject: C=CN, ST=Zhejiang, L=Hangzhou, O=Hangzhou Shunwang Technology Co.,Ltd, - CN=Hangzhou Shunwang Technology Co.,Ltd - ValidFrom: '2019-12-27 00:00:00' - ValidTo: '2022-01-05 12:00:00' - Signature: 8147595b1b5b5c15cfd34eecc1af73a408dc6afb70b254cbe0654771d89947c98cc92708e61d9c5fdf3b6d13b1047bc00933dce01c24169068f5e02063f15d9ae5ae7c64e5baf373104c34fe57f2ac98410d6fc887fa42e20df6f4cd12f9ffd540eaa9111d6680e174c58f8a5f09b17c8f5b878f329c7c3b335484fb983cb2307a379dcfd4d4d5dac493f7f667491338b2213a761f7fa20376915597d6ae2015d69d43f4711356943cc08c7e5a4b1ce4bf0c69ea30d5154d59b08717b8330495a1e92383a12b96dce692aa2689d20ee3372e73b24049bc9c1d541f2227d4d411ba2f4785943ebb608bcafc8db1ffc1236b52ee833b3ede42535dc2d1710f62de - SignatureAlgorithmOID: 1.2.840.113549.1.1.5 - IsCertificateAuthority: false - SerialNumber: 0b1e1774fd8f4ea3d7ff1381fb73da92 - Version: 3 - TBS: - MD5: 7024d0a6b5e55936a7935914788421d5 - SHA1: efab40dd88bfe8550db10f51a4cbcfc9cea76af0 - SHA256: 4650e6e700bafb42b77d1928f425cc0f94bd24d59bbac383d3cc69a2900258d6 - SHA384: c177df2dd65d446edd0fff9d5ee9be89d732081ff103ae7cf067b3e118636595a5620d209a4636fb470ef6ed42b83d8e - - Subject: C=US, O=DigiCert, CN=DigiCert Timestamp Responder - ValidFrom: '2014-10-22 00:00:00' - ValidTo: '2024-10-22 00:00:00' - Signature: 9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844 - SignatureAlgorithmOID: 1.2.840.113549.1.1.5 - IsCertificateAuthority: false - SerialNumber: 03019a023aff58b16bd6d5eae617f066 - Version: 3 - TBS: - MD5: a752afee44f017e8d74e3f3eb7914ae3 - SHA1: 8eca80a6b80e9c69dcef7745748524afb8019e2d - SHA256: 82560fa7efec30b5ff82af643e6f3bf3d46868bbd5e7d76f93db185e9e3553a1 - SHA384: e8b11408c88f877ade4ca51114a175fb5dfd2d18d2a66be547c1c9e080fa8f592c7870e30dfab1c04d234993dd0907f3 - - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code - Signing CA,1 - ValidFrom: '2011-02-11 12:00:00' - ValidTo: '2026-02-10 12:00:00' - Signature: 7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff - SignatureAlgorithmOID: 1.2.840.113549.1.1.5 - IsCertificateAuthority: true - SerialNumber: 0fa8490615d700a0be2176fdc5ec6dbd - Version: 3 - TBS: - MD5: a9a31555bbc92b6033975c5428fb3679 - SHA1: 47f4b9898631773231b32844ec0d49990ac4eb1e - SHA256: c826846e4b1d73edb7561ab1b41c949354e237a91e82fe1be5b7e2e1701f52d1 - SHA384: 86f49574f368a561914a52d7ae043ec6784ef8c718960700f834e123594605d25d39f1ad45f1eb5052c9567f3edd0e16 - - Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1 - ValidFrom: '2006-11-10 00:00:00' - ValidTo: '2021-11-10 00:00:00' - Signature: 46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026 - SignatureAlgorithmOID: 1.2.840.113549.1.1.5 - IsCertificateAuthority: true - SerialNumber: 06fdf9039603adea000aeb3f27bbba1b - Version: 3 - TBS: - MD5: 4e5ad189638cf52ba9cd881d4d44668c - SHA1: cdc115e98d798b33904c820d63cc1e1afc19251d - SHA256: 37560fb9d548ab62cc3ed4669a4ab74828b5a108e67e829937ffb2d10a5f78dd - SHA384: 173bfb77183785621ef15f43ea807338cea6a02e8183317d9ef050c7237adda3fa2a5bdcd5a4c96da9f2c55900675b9f - Signer: - - SerialNumber: 0b1e1774fd8f4ea3d7ff1381fb73da92 - Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code - Signing CA,1 - Version: 1 - Authentihash: - MD5: 327bac48ef5c3162aaf555878ef89338 - SHA1: 3653d167ffa47da551267c179a4b4f23430271b7 - SHA256: 2e100aa891445f18f4805dced7c4055aa5bee6c65995daa42a438349ccad6c3c - RichPEHeaderHash: - MD5: 2e2215b2069ed96fcec4649c25ecce07 - SHA1: f2dea0094772b0451202d789ab6f4e440a5dbb62 - SHA256: 65ad8fd2d58ed83b8f95fcc50f82a9aef53c7db80c072589b30194f15776a3e7 - Description: '' - Company: '' - Product: '' - Copyright: '' - MachineType: I386 - Imports: - - ntoskrnl.exe - - HAL.dll -- Filename: rentdrv2.sys - Libraries: - - ntoskrnl.exe - ImportedFunctions: - - RtlInitUnicodeString - - KeSetEvent - - KeInitializeEvent - - ZwCreateFile - - ExAllocatePool - - ZwClose - - ObReferenceObjectByHandle - - KeWaitForSingleObject - - ObfDereferenceObject - - ZwWriteFile - - DbgPrint - - InitializeSListHead - - ExpInterlockedPushEntrySList - - KeInitializeDpc - - KeReleaseSpinLock - - ExpInterlockedPopEntrySList - - ZwWaitForSingleObject - - KeFlushQueuedDpcs - - PsCreateSystemThread - - ExSystemTimeToLocalTime - - _vsnprintf - - KeInsertQueueDpc - - RtlTimeToTimeFields - - PsThreadType - - PsGetCurrentThreadId - - KeAcquireSpinLockRaiseToDpc - - PsProcessType - - PsLookupProcessByProcessId - - _wcsnicmp - - ExFreePoolWithTag - - ZwOpenProcess - - ZwQueryInformationProcess - - RtlCopyUnicodeString - - MmIsAddressValid - - ZwTerminateProcess - - ObOpenObjectByPointer - - PsGetProcessId - - RtlAppendUnicodeToString - - ZwQuerySymbolicLinkObject - - ZwOpenSymbolicLinkObject - - KeDelayExecutionThread - - ZwQuerySystemInformation - - KeBugCheckEx - - KeClearEvent - - IoDeleteSymbolicLink - - KeResetEvent - - IoCreateNotificationEvent - - KeSetPriorityThread - - IoDeleteDevice - - KeSetTimerEx - - PsTerminateSystemThread - - IofCompleteRequest - - IoCreateSymbolicLink - - IoCreateDevice - - KeInitializeTimerEx - - KeCancelTimer - - PsGetProcessInheritedFromUniqueProcessId - - ExAllocatePoolWithTag - - __C_specific_handler - ExportedFunctions: '' - MD5: 5fea22f442e7fd34a54008e363446d13 - SHA1: 67d17ca90880b448d5c3b40f69cec04d3649f170 - SHA256: 9165d4f3036919a96b86d24b64d75d692802c7513f2b3054b20be40c212240a5 - Imphash: 1fb8e85267a70537d661f9df2fc215ac - Machine: AMD64 - MagicHeader: 50 45 0 0 - CreationTimestamp: '2023-01-17 01:17:14' - RichPEHeaderMD5: df57763699cf5115bb47b14154391019 - RichPEHeaderSHA1: cdf22aa848a0e173ed5aa1fef4ca77eea65b9403 - RichPEHeaderSHA256: cf67066a7ed3bb69752ec5fc482e9d74f8bcff9683a417db05eeab1484cefea1 - AuthentihashMD5: b0c6112ed0f7a1544320e96c4e28dfaf - AuthentihashSHA1: cebe563de888ee2055ba03051010a40705e778c8 - AuthentihashSHA256: b3c9af8c4be8f62d25b955f92d2a4e9ebd34f7fa787580454ef54241102e7b30 - Sections: - .text: - Entropy: 6.09672981622707 - Virtual Size: '0x321a' - .rdata: - Entropy: 5.113705056700047 - Virtual Size: '0x117c' - .data: - Entropy: 0.0 - Virtual Size: '0x2038' - .pdata: - Entropy: 4.257063691646188 - Virtual Size: '0x3fc' - INIT: - Entropy: 4.964146055158324 - Virtual Size: '0x720' - CompanyName: '' - FileDescription: '' - InternalName: '' - OriginalFilename: '' - FileVersion: '' - ProductName: '' - LegalCopyright: '' - ProductVersion: '' - Signatures: - - CertificatesInfo: '' - SignerInfo: '' - Certificates: - - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft - Windows Hardware Compatibility Publisher - ValidFrom: '2022-06-07 18:08:06' - ValidTo: '2023-06-01 18:08:06' - Signature: 0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322 - SignatureAlgorithmOID: 1.2.840.113549.1.1.11 - IsCertificateAuthority: false - SerialNumber: 3300000057ee4d659a923e7c10000000000057 - Version: 3 - TBS: - MD5: fdc11a5676aed4e9cc0c09eeb7450dfb - SHA1: 4902077d9a05d4231b791d3b05bafa4a79132f03 - SHA256: 5db56c23d83bf67c7152e28ad4a684a7372b4ae4f52afe7a81ce91eef94caec3 - SHA384: c952d7f0e0ea5216ce4400601fb7c0829f0f3fcd6eb2b5b9112fbe45d133e00c4abd660f8e1794f7ac4ef95123e2c0ab - - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft - Windows Third Party Component CA 2014 - ValidFrom: '2014-10-15 20:31:27' - ValidTo: '2029-10-15 20:41:27' - Signature: 96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f - SignatureAlgorithmOID: 1.2.840.113549.1.1.11 - IsCertificateAuthority: true - SerialNumber: 330000000d690d5d7893d076df00000000000d - Version: 3 - TBS: - MD5: 83f69422963f11c3c340b81712eef319 - SHA1: 0c5e5f24590b53bc291e28583acb78e5adc95601 - SHA256: d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae - SHA384: 260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63 - Signer: - - SerialNumber: 3300000057ee4d659a923e7c10000000000057 - Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft - Windows Third Party Component CA 2014 - Version: 1 - Authentihash: - MD5: b0c6112ed0f7a1544320e96c4e28dfaf - SHA1: cebe563de888ee2055ba03051010a40705e778c8 - SHA256: b3c9af8c4be8f62d25b955f92d2a4e9ebd34f7fa787580454ef54241102e7b30 - RichPEHeaderHash: - MD5: df57763699cf5115bb47b14154391019 - SHA1: cdf22aa848a0e173ed5aa1fef4ca77eea65b9403 - SHA256: cf67066a7ed3bb69752ec5fc482e9d74f8bcff9683a417db05eeab1484cefea1 - Description: '' - Company: '' - Product: '' - Copyright: '' - MachineType: AMD64 - Imports: - - ntoskrnl.exe -Tags: -- rentdrv2.sys diff --git a/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml b/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml index 878aa48e6..de2f1d131 100644 --- a/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml +++ b/yaml/afb8bb46-1d13-407d-9866-1daa7c82ca63.yaml @@ -1,7 +1,15 @@ +Id: afb8bb46-1d13-407d-9866-1daa7c82ca63 +Author: Protocol & Zach +Created: '2023-07-14' +Verified: 'TRUE' +MitreID: T1134 +Resources: +- https://ioctl.fail/echo-ac-writeup/ +- https://github.com/kite03/echoac-poc/tree/main/PoC +- https://github.com/pseuxide/kur Acknowledgement: Handle: '@WindowsKernel' Person: protocol -Author: Protocol & Zach Category: vulnerable driver Commands: Command: sc.exe create echo_driver.sys binPath=C:\windows\temp\echo_driver.sys type=kernel @@ -12,9 +20,7 @@ Commands: OperatingSystem: Windows 10/11 Privileges: kernel Usecase: Elevate privileges, arbitrary memory read/write -Created: '2023-07-14' Detection: [] -Id: afb8bb46-1d13-407d-9866-1daa7c82ca63 KnownVulnerableSamples: - Authentihash: MD5: cad120d8ba6473b07a3b76a41921d720 @@ -611,11 +617,158 @@ KnownVulnerableSamples: Imports: - ntoskrnl.exe - HAL.dll -MitreID: T1134 -Resources: -- https://ioctl.fail/echo-ac-writeup/ -- https://github.com/kite03/echoac-poc/tree/main/PoC -- https://github.com/pseuxide/kur +- Filename: rentdrv2.sys + Libraries: + - ntoskrnl.exe + ImportedFunctions: + - RtlInitUnicodeString + - KeSetEvent + - KeInitializeEvent + - ZwCreateFile + - ExAllocatePool + - ZwClose + - ObReferenceObjectByHandle + - KeWaitForSingleObject + - ObfDereferenceObject + - ZwWriteFile + - DbgPrint + - InitializeSListHead + - ExpInterlockedPushEntrySList + - KeInitializeDpc + - KeReleaseSpinLock + - ExpInterlockedPopEntrySList + - ZwWaitForSingleObject + - KeFlushQueuedDpcs + - PsCreateSystemThread + - ExSystemTimeToLocalTime + - _vsnprintf + - KeInsertQueueDpc + - RtlTimeToTimeFields + - PsThreadType + - PsGetCurrentThreadId + - KeAcquireSpinLockRaiseToDpc + - PsProcessType + - PsLookupProcessByProcessId + - _wcsnicmp + - ExFreePoolWithTag + - ZwOpenProcess + - ZwQueryInformationProcess + - RtlCopyUnicodeString + - MmIsAddressValid + - ZwTerminateProcess + - ObOpenObjectByPointer + - PsGetProcessId + - RtlAppendUnicodeToString + - ZwQuerySymbolicLinkObject + - ZwOpenSymbolicLinkObject + - KeDelayExecutionThread + - ZwQuerySystemInformation + - KeBugCheckEx + - KeClearEvent + - IoDeleteSymbolicLink + - KeResetEvent + - IoCreateNotificationEvent + - KeSetPriorityThread + - IoDeleteDevice + - KeSetTimerEx + - PsTerminateSystemThread + - IofCompleteRequest + - IoCreateSymbolicLink + - IoCreateDevice + - KeInitializeTimerEx + - KeCancelTimer + - PsGetProcessInheritedFromUniqueProcessId + - ExAllocatePoolWithTag + - __C_specific_handler + ExportedFunctions: '' + MD5: 5fea22f442e7fd34a54008e363446d13 + SHA1: 67d17ca90880b448d5c3b40f69cec04d3649f170 + SHA256: 9165d4f3036919a96b86d24b64d75d692802c7513f2b3054b20be40c212240a5 + Imphash: 1fb8e85267a70537d661f9df2fc215ac + Machine: AMD64 + MagicHeader: 50 45 0 0 + CreationTimestamp: '2023-01-17 01:17:14' + RichPEHeaderMD5: df57763699cf5115bb47b14154391019 + RichPEHeaderSHA1: cdf22aa848a0e173ed5aa1fef4ca77eea65b9403 + RichPEHeaderSHA256: cf67066a7ed3bb69752ec5fc482e9d74f8bcff9683a417db05eeab1484cefea1 + AuthentihashMD5: b0c6112ed0f7a1544320e96c4e28dfaf + AuthentihashSHA1: cebe563de888ee2055ba03051010a40705e778c8 + AuthentihashSHA256: b3c9af8c4be8f62d25b955f92d2a4e9ebd34f7fa787580454ef54241102e7b30 + Sections: + .text: + Entropy: 6.09672981622707 + Virtual Size: '0x321a' + .rdata: + Entropy: 5.113705056700047 + Virtual Size: '0x117c' + .data: + Entropy: 0.0 + Virtual Size: '0x2038' + .pdata: + Entropy: 4.257063691646188 + Virtual Size: '0x3fc' + INIT: + Entropy: 4.964146055158324 + Virtual Size: '0x720' + CompanyName: '' + FileDescription: '' + InternalName: '' + OriginalFilename: '' + FileVersion: '' + ProductName: '' + LegalCopyright: '' + ProductVersion: '' + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Hardware Compatibility Publisher + ValidFrom: '2022-06-07 18:08:06' + ValidTo: '2023-06-01 18:08:06' + Signature: 0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322 + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: false + SerialNumber: 3300000057ee4d659a923e7c10000000000057 + Version: 3 + TBS: + MD5: fdc11a5676aed4e9cc0c09eeb7450dfb + SHA1: 4902077d9a05d4231b791d3b05bafa4a79132f03 + SHA256: 5db56c23d83bf67c7152e28ad4a684a7372b4ae4f52afe7a81ce91eef94caec3 + SHA384: c952d7f0e0ea5216ce4400601fb7c0829f0f3fcd6eb2b5b9112fbe45d133e00c4abd660f8e1794f7ac4ef95123e2c0ab + - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2014 + ValidFrom: '2014-10-15 20:31:27' + ValidTo: '2029-10-15 20:41:27' + Signature: 96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + IsCertificateAuthority: true + SerialNumber: 330000000d690d5d7893d076df00000000000d + Version: 3 + TBS: + MD5: 83f69422963f11c3c340b81712eef319 + SHA1: 0c5e5f24590b53bc291e28583acb78e5adc95601 + SHA256: d8be9e4d9074088ef818bc6f6fb64955e90378b2754155126feebbbd969cf0ae + SHA384: 260ad59ba706420f68ba212931153bd89f760c464b21be55fba9d014fff322407859d4ebfb78ea9a3330f60dc9821a63 + Signer: + - SerialNumber: 3300000057ee4d659a923e7c10000000000057 + Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2014 + Version: 1 + Authentihash: + MD5: b0c6112ed0f7a1544320e96c4e28dfaf + SHA1: cebe563de888ee2055ba03051010a40705e778c8 + SHA256: b3c9af8c4be8f62d25b955f92d2a4e9ebd34f7fa787580454ef54241102e7b30 + RichPEHeaderHash: + MD5: df57763699cf5115bb47b14154391019 + SHA1: cdf22aa848a0e173ed5aa1fef4ca77eea65b9403 + SHA256: cf67066a7ed3bb69752ec5fc482e9d74f8bcff9683a417db05eeab1484cefea1 + Description: '' + Company: '' + Product: '' + Copyright: '' + MachineType: AMD64 + Imports: + - ntoskrnl.exe Tags: - echo_driver.sys -Verified: 'TRUE'