From dd488671a433366e76d9b24f363116ab1f8286ae Mon Sep 17 00:00:00 2001 From: josehelps Date: Wed, 26 Jul 2023 22:43:11 -0400 Subject: [PATCH 1/2] fixed enriched with yara to use the new file struc and also updated all yamls with new yaras --- bin/enrich_with_yara.py | 35 ++++++++++++++----- .../0258df5c-c3c1-4ed5-ba8f-846d91526ffe.yaml | 10 ++++++ yaml/043773c5-120a-4c6b-8485-8f1f5c47fd3e.yml | 12 ++++++- .../04d377f9-36e0-42a4-8d47-62232163dc68.yaml | 10 ++++++ yaml/0567c6c4-282f-406f-9369-7f876b899c25.yml | 10 ++++++ .../080ff223-f8e0-49c0-a7b5-e97349cf81a0.yaml | 10 ++++++ yaml/0e8da43d-92e0-43f9-bc34-50a7d15b34bd.yml | 12 ++++++- .../0f59ce3b-20ac-41ba-8010-2abc74827eb8.yaml | 10 ++++++ yaml/10b1fc3d-c444-4885-8ca9-4b5891885507.yml | 10 ++++++ .../127cde1d-905e-4c67-a2c3-04ea4deaea7d.yaml | 10 ++++++ yaml/13637210-2e1c-45a4-9f76-fe38c3c34264.yml | 12 ++++++- .../137daca4-0d7b-48aa-8574-f7eb6ad02526.yaml | 10 ++++++ yaml/13973a71-412f-4a18-a2a6-476d3853f8de.yml | 12 ++++++- .../16d8962b-cf96-432f-8a43-d41f06828f56.yaml | 12 ++++++- .../17cf4fac-88f1-467d-9f62-481d33accc5b.yaml | 10 ++++++ .../19d16518-4aee-4983-ba89-dbbe0fa8a3e7.yaml | 10 ++++++ .../1ae6cfc4-ca70-4148-ba1c-e46cc6bfc548.yaml | 10 ++++++ .../1c6e1d3b-f825-4065-9e0c-83386883e40f.yaml | 10 ++++++ .../1c7631f0-f92f-4be5-8ba7-3eefb0601d45.yaml | 10 ++++++ .../1d2cdef1-de44-4849-80e5-e2fa288df681.yaml | 10 ++++++ .../20076ebf-4427-4056-b035-5238f95debe9.yaml | 10 ++++++ .../205721b7-b83b-414a-b4b5-8bacb4a37777.yaml | 10 ++++++ yaml/214654eb-90c4-48c8-a183-0157e50bf07f.yml | 12 ++++++- .../22aa985b-5fdb-4e38-9382-a496220c27ec.yaml | 10 ++++++ .../23f11e19-0776-4dd4-9c9c-7f6b60f8553f.yaml | 10 ++++++ .../24fb7bab-b8c3-46ea-a370-c84d2f0ff614.yaml | 10 ++++++ yaml/2ada18ae-2c52-49b6-b1a0-cf3b267f6dc7.yml | 12 ++++++- .../2b949a0d-939f-456a-a34f-4589d7712227.yaml | 10 ++++++ .../2bea1bca-753c-4f09-bc9f-566ab0193f4a.yaml | 10 ++++++ yaml/2d7c96d3-2d6c-44cd-a8a1-5239f571a24a.yml | 10 ++++++ .../2e4fedb0-30ed-400d-b4e1-b2b2004c1607.yaml | 10 ++++++ yaml/2ea12acc-95b6-4f91-afb7-8ded7a2fe9d9.yml | 12 ++++++- .../31686f0e-3748-48c2-be09-fc8f3252e780.yaml | 10 ++++++ .../31797996-6973-402d-a4a0-d01ce51e02c0.yaml | 10 ++++++ .../3277cecc-f4b4-4a00-be01-9da83e013bcd.yaml | 10 ++++++ .../32ccd436-eb13-4ab3-83d4-3e5471f4e364.yaml | 10 ++++++ .../33a9c9ae-5ca3-442d-9f0f-2615637c1c57.yaml | 10 ++++++ .../351ff5ca-f07b-4eb6-9300-d5d31514defb.yaml | 10 ++++++ .../39742f99-2180-46d7-8538-56667c935cc3.yaml | 10 ++++++ .../3ab0d182-6365-47a7-89f4-34121e889503.yaml | 10 ++++++ .../3ac0eda2-a844-4a9d-9cfa-c25a9e05d678.yaml | 10 ++++++ .../3bc629e8-7bf8-40c2-965b-87eb155e0065.yaml | 10 ++++++ .../3e0bf6dc-791b-4170-8c40-427e7299d93d.yaml | 10 ++++++ .../3f39af20-802a-4909-a5de-7f6fe7aab350.yaml | 10 ++++++ .../40bfb01b-d251-4c2c-952e-052a89a76f5b.yaml | 10 ++++++ .../43d0af25-c066-471f-bb73-6ce25dc7e0eb.yaml | 10 ++++++ .../47724cc1-bf75-4ab7-a47a-355a9aa30de1.yaml | 10 ++++++ .../47a351ee-8abe-40d8-bc2b-557390fa0945.yaml | 10 ++++++ .../47fe1aaf-02cd-4a41-8bf5-0047015a2a6e.yaml | 10 ++++++ .../48bc2815-85ec-4436-a51a-69810c8cb171.yaml | 10 ++++++ .../4a80da66-f8f1-4af9-ba56-696cfe6c1e10.yaml | 10 ++++++ .../4bf4b425-10af-4cd4-88e6-beb4b947eb48.yaml | 10 ++++++ .../4d365dd0-34c3-492e-a2bd-c16266796ae5.yaml | 10 ++++++ .../4db827b1-325b-444d-9f23-171285a4d12f.yaml | 10 ++++++ yaml/4dd3289c-522c-4fce-b48e-5370efc90fa1.yml | 12 ++++++- .../51c342f3-0b91-4674-8f81-bc016855f30f.yaml | 10 ++++++ .../54d67d79-0268-4c5f-be7e-0f74cd20828a.yaml | 10 ++++++ .../57f63efb-dc43-4dba-9413-173e3e4be750.yaml | 10 ++++++ .../57fc510a-e649-4599-b83e-8f3605e3d1d9.yaml | 10 ++++++ .../5943b267-64f3-40d4-8669-354f23dec122.yaml | 10 ++++++ .../5969b6dc-b136-480e-a527-3cb2ea2f0da9.yaml | 10 ++++++ .../5af9abf0-d8de-4e9b-8141-e9e97a31901a.yaml | 10 ++++++ .../5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae.yaml | 10 ++++++ yaml/613b8509-18c0-4720-b489-736776b6713e.yml | 12 ++++++- .../61514cbd-6f34-4a3e-a022-9ecbccc16feb.yaml | 10 ++++++ yaml/66be9e0a-9246-4404-b5b5-7fbde351668f.yml | 12 ++++++- .../670dc258-78b5-4552-a16b-b41917c86f8d.yaml | 10 ++++++ .../6a50e368-1120-434b-9232-1a0702c80437.yaml | 10 ++++++ .../6d21df78-d718-44df-b722-99eec654f5b2.yaml | 10 ++++++ yaml/6ec5ddda-f302-4008-a73e-12814c1d571f.yml | 12 ++++++- .../6fc3034f-8b40-44ef-807a-f61d3ea2dece.yaml | 10 ++++++ .../70acea34-7ed2-42d5-885c-eca3c2de640c.yaml | 10 ++++++ .../72637cb1-5ca2-4ad0-a5df-20da17b231b5.yaml | 10 ++++++ yaml/73196456-40ae-4b6d-8562-07cf99458a7d.yml | 12 ++++++- .../76b5dfae-b384-45ce-8646-b2eec6b76a1e.yaml | 10 ++++++ yaml/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2.yml | 12 ++++++- yaml/7a722cd5-69ec-4680-9f20-9387f249a891.yml | 12 ++++++- .../7bb5ff05-25f8-410d-ae99-c8e8f082d24f.yaml | 10 ++++++ .../7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml | 10 ++++++ yaml/7edb5602-239f-460a-89d6-363ff1059765.yml | 12 ++++++- .../7f645b95-4374-47ae-be1a-e4415308b550.yaml | 10 ++++++ yaml/7f9842a0-8118-462e-8860-227265ff4379.yml | 12 ++++++- .../81a73e57-2e92-4d21-97d3-1c21eb4c3aea.yaml | 10 ++++++ .../855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml | 10 ++++++ .../86cff0de-2536-4b8d-a846-a7312c569597.yaml | 10 ++++++ .../87752fb8-e9f6-4235-91e2-c4343677d817.yaml | 10 ++++++ .../892292f9-b87c-40a5-80e5-8c9b02914e8b.yaml | 10 ++++++ yaml/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025.yml | 10 ++++++ .../8ff4ab50-05b7-4bfa-b994-1920c4ed4978.yaml | 10 ++++++ .../9074a02a-b1ca-4bfb-8918-5b88e91c04a2.yaml | 10 ++++++ yaml/90afa27c-0f67-46a6-b4a9-809f55157c71.yml | 12 ++++++- .../91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f.yaml | 10 ++++++ .../93740202-930c-4ab4-8603-8ec9532c5415.yaml | 12 ++++++- .../93c84c08-4683-493d-abf7-22dc2d1cb567.yaml | 10 ++++++ .../999a11ae-ec2b-4863-baa4-1384ec2b7339.yaml | 10 ++++++ .../9a4fb66e-9084-4b21-9d76-a7afbe330606.yaml | 10 ++++++ .../9c3c6e89-3916-498f-81e5-da057ab3ed42.yaml | 10 ++++++ .../9e87b6b0-00ed-4259-bcd7-05e2c924d58c.yaml | 10 ++++++ yaml/a02ee964-a21e-4b08-9c98-a730c90bfd53.yml | 12 ++++++- yaml/a0fbd397-64d5-4af2-844b-b096e08a1866.yml | 12 ++++++- .../a22104a8-126d-449f-ba3e-28678c60c587.yaml | 10 ++++++ .../a261cd64-0d04-4bf5-ad73-f3bb96bf83cf.yaml | 10 ++++++ .../a285591e-ad3c-46a3-a648-c58589ff5efc.yaml | 10 ++++++ .../a33de377-d2c2-4c71-98ca-cd0be8d284f9.yaml | 10 ++++++ .../a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f.yaml | 10 ++++++ .../a5ebba11-5a31-48d2-9c6d-78bba397edf1.yaml | 10 ++++++ .../a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0.yaml | 10 ++++++ yaml/a7628504-9e35-4e42-91f7-0c0a512549f4.yml | 12 ++++++- .../a7775cbe-624b-4b04-b74f-969f77c2ac02.yaml | 10 ++++++ .../a7bba474-815f-49be-bddc-4d76a64c866c.yaml | 10 ++++++ .../a845a05c-5357-4b78-9783-16b4d34b2cb0.yaml | 10 ++++++ yaml/a9d9cbb7-b5f6-4e74-97a5-29993263280e.yml | 12 ++++++- .../aa687f89-4f3b-4b59-b64e-fee5e2ae2310.yaml | 10 ++++++ .../ad21819d-3080-4fe2-89b1-74385031fb4d.yaml | 10 ++++++ yaml/b03798af-d25a-400b-9236-4643a802846f.yml | 12 ++++++- .../b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6.yaml | 10 ++++++ .../b72f7335-6f27-42c5-85f5-ed7eb9016eac.yaml | 10 ++++++ .../bb808089-5857-4df2-8998-753a7106cb44.yaml | 10 ++++++ .../bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml | 10 ++++++ .../be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc.yaml | 10 ++++++ .../bf01915d-045f-442c-a74e-25c56182123f.yaml | 10 ++++++ .../c3cca618-5a7f-4a51-8785-cb328fbfb0df.yaml | 10 ++++++ yaml/c98af16e-197f-4e66-bf94-14646bde32dd.yml | 12 ++++++- .../ca1e8664-841f-4e4b-9e67-3f515cc249c6.yaml | 10 ++++++ .../ca415ed5-b611-4840-bfb2-6e1eacac33d1.yaml | 10 ++++++ .../ca768fc5-9b5c-4ced-90ab-fd6be9a70199.yaml | 10 ++++++ .../cf49f43c-d7b4-4c1a-a40d-1be36ea64bff.yaml | 10 ++++++ .../cfdc5cb4-be5c-4dcc-a883-825fa72115b4.yaml | 10 ++++++ .../d0048840-970f-4ad5-9a07-1d39469d721f.yaml | 10 ++++++ .../d2806397-9ceb-47c8-b5f3-3aabec182ff5.yaml | 10 ++++++ yaml/d35cb48d-2aca-4d7d-a194-f4566183bcd9.yml | 12 ++++++- .../d55a5955-6220-4f38-ba7d-91339330fe98.yaml | 10 ++++++ .../d819bee2-3bff-481f-a301-acc3d1f5fe58.yaml | 10 ++++++ .../d9e00cc7-a8f4-4390-a6dc-0f5423e97da4.yaml | 10 ++++++ .../d9f2c3d6-160c-4eb3-8547-894fcf810342.yaml | 10 ++++++ .../da7314dc-6cf1-4d74-a0d1-796fc08944f8.yaml | 10 ++++++ .../de003542-80e1-4aa0-9b99-ed8647a93a6e.yaml | 10 ++++++ .../de365e80-45cb-48fb-af6e-0a96a5ad7777.yaml | 10 ++++++ .../de4dd27a-1f7e-4271-98a4-55395ab6aabf.yaml | 10 ++++++ .../dfce8b0f-d857-4808-80ef-61273c7a4183.yaml | 10 ++++++ .../e4098d7e-78b3-4da1-96cb-68b27f245e02.yaml | 10 ++++++ .../e42cd285-4dda-4086-a696-93ab1d6f17ca.yaml | 10 ++++++ .../e4609b54-cb25-4433-a75a-7a17f43cec00.yaml | 10 ++++++ yaml/e5f12b82-8d07-474e-9587-8c7b3714d60c.yml | 12 ++++++- .../e7c958da-fd5d-40d6-975e-582c6fee7f69.yaml | 10 ++++++ yaml/eb07ef7e-0402-48eb-8e06-8fb76eda5b84.yml | 10 ++++++ .../edd29861-6984-4dbe-8e7c-22e9b6cf68d0.yaml | 10 ++++++ .../eef1fcf4-8c54-420b-8d38-9c5f95129dcc.yaml | 10 ++++++ yaml/f4126206-564f-49f5-a942-2138a3131e0e.yml | 12 ++++++- .../f4990bdd-8821-4a3c-a11a-4651e645810c.yaml | 10 ++++++ .../f4c22f4d-eff8-40c5-8b31-146abe5f17b7.yaml | 10 ++++++ .../f654ad84-c61d-477c-a0b2-d153b927dfcc.yaml | 10 ++++++ .../fab98aaa-e4e7-4c4a-af65-c00d35cf66e9.yaml | 10 ++++++ .../fbdd993b-47b1-4448-8c41-24c310802398.yaml | 10 ++++++ .../fdf4f85b-47f4-4c98-a0d5-a6583463f565.yaml | 10 ++++++ .../fe2f68e1-e459-4802-9a9a-23bb3c2fd331.yaml | 10 ++++++ .../ff74f03e-e4ce-4242-bfe3-60601056bb34.yaml | 10 ++++++ 157 files changed, 1615 insertions(+), 36 deletions(-) diff --git a/bin/enrich_with_yara.py b/bin/enrich_with_yara.py index 4711b4c18..a72800fad 100644 --- a/bin/enrich_with_yara.py +++ b/bin/enrich_with_yara.py @@ -1,6 +1,7 @@ import argparse import os import yaml +import re # Parse command-line arguments parser = argparse.ArgumentParser() @@ -18,6 +19,15 @@ {"type": "sysmon_hash_block", "value": base_url + "detections/sysmon/sysmon_config_vulnerable_hashes_block.xml"} ] +# Define YARA rules files +yara_rules_files = [ + "yara-rules_mal_drivers_strict.yar", + "yara-rules_vuln_drivers_strict_renamed.yar", + "yara-rules_vuln_drivers.yar", + "yara-rules_mal_drivers.yar", + "yara-rules_vuln_drivers_strict.yar" +] + # Loop through each YAML file in the directory for file_name in os.listdir('yaml'): if file_name.endswith('.yaml') or file_name.endswith('.yml'): @@ -31,13 +41,23 @@ updated = False for entry in yaml_data['KnownVulnerableSamples']: sha256 = entry.get('SHA256') - if sha256: - yara_file_path = os.path.join('detections/yara', f'{sha256}.yara') - if os.path.exists(yara_file_path): - updated = True - if args.verbose: - print(f"Updating file: {file_path}") - yaml_data['Detection'].append({"type": "yara_signature", "value": base_url + yara_file_path}) + if sha256: + for yara_file_name in yara_rules_files: + yara_file_path = os.path.join('detections/yara', yara_file_name) + + # Load YARA rules from the file + with open(yara_file_path, 'r') as f: + yara_rules = f.read() + + # Check if a rule exists for the specific sample + if re.search(f'{sha256}', yara_rules): + yara_link = {"type": "yara_signature", "value": base_url + yara_file_path} + if yara_link not in yaml_data['Detection']: + updated = True + if args.verbose: + print(f"Updating file: {file_path}") + yaml_data['Detection'].append(yara_link) + break # Add specific sigma and sysmon rules to detections yaml_data['Detection'].extend(sigma_rules) @@ -47,4 +67,3 @@ if updated: with open(file_path, 'w') as f: yaml.dump(yaml_data, f, sort_keys=False) - diff --git a/yaml/0258df5c-c3c1-4ed5-ba8f-846d91526ffe.yaml b/yaml/0258df5c-c3c1-4ed5-ba8f-846d91526ffe.yaml index bb22af1db..82a9cce30 100644 --- a/yaml/0258df5c-c3c1-4ed5-ba8f-846d91526ffe.yaml +++ b/yaml/0258df5c-c3c1-4ed5-ba8f-846d91526ffe.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: AsrDrv10.sys MD5: 9b91a44a488e4d539f2e55476b216024 diff --git a/yaml/043773c5-120a-4c6b-8485-8f1f5c47fd3e.yml b/yaml/043773c5-120a-4c6b-8485-8f1f5c47fd3e.yml index ededcd28a..0ad4c87d1 100644 --- a/yaml/043773c5-120a-4c6b-8485-8f1f5c47fd3e.yml +++ b/yaml/043773c5-120a-4c6b-8485-8f1f5c47fd3e.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: aswArPot.sys MD5: c61876aaca6ce822be18adb9d9bd4260 diff --git a/yaml/04d377f9-36e0-42a4-8d47-62232163dc68.yaml b/yaml/04d377f9-36e0-42a4-8d47-62232163dc68.yaml index d3dbb77fb..5a4b46f61 100644 --- a/yaml/04d377f9-36e0-42a4-8d47-62232163dc68.yaml +++ b/yaml/04d377f9-36e0-42a4-8d47-62232163dc68.yaml @@ -30,6 +30,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: iomem64.sys MD5: 0898af0888d8f7a9544ef56e5e16354e diff --git a/yaml/0567c6c4-282f-406f-9369-7f876b899c25.yml b/yaml/0567c6c4-282f-406f-9369-7f876b899c25.yml index fb154cc04..a04e35204 100644 --- a/yaml/0567c6c4-282f-406f-9369-7f876b899c25.yml +++ b/yaml/0567c6c4-282f-406f-9369-7f876b899c25.yml @@ -94,6 +94,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: procexp.Sys MD5: e6cb1728c50bd020e531d19a14904e1c diff --git a/yaml/080ff223-f8e0-49c0-a7b5-e97349cf81a0.yaml b/yaml/080ff223-f8e0-49c0-a7b5-e97349cf81a0.yaml index 07d8cd62d..2c84c1edc 100644 --- a/yaml/080ff223-f8e0-49c0-a7b5-e97349cf81a0.yaml +++ b/yaml/080ff223-f8e0-49c0-a7b5-e97349cf81a0.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: HpPortIox64.sys MD5: a641e3dccba765a10718c9cb0da7879e diff --git a/yaml/0e8da43d-92e0-43f9-bc34-50a7d15b34bd.yml b/yaml/0e8da43d-92e0-43f9-bc34-50a7d15b34bd.yml index ce5669725..11e6c1d22 100644 --- a/yaml/0e8da43d-92e0-43f9-bc34-50a7d15b34bd.yml +++ b/yaml/0e8da43d-92e0-43f9-bc34-50a7d15b34bd.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: Michael Alfaro Handle: '@_mmpte_software' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: etdsupp.sys MD5: a92bf3c219a5fa82087b6c31bdf36ff3 diff --git a/yaml/0f59ce3b-20ac-41ba-8010-2abc74827eb8.yaml b/yaml/0f59ce3b-20ac-41ba-8010-2abc74827eb8.yaml index 0bd14a49b..d10b39ad5 100644 --- a/yaml/0f59ce3b-20ac-41ba-8010-2abc74827eb8.yaml +++ b/yaml/0f59ce3b-20ac-41ba-8010-2abc74827eb8.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: cpuz.sys MD5: c2eb4539a4f6ab6edd01bdc191619975 diff --git a/yaml/10b1fc3d-c444-4885-8ca9-4b5891885507.yml b/yaml/10b1fc3d-c444-4885-8ca9-4b5891885507.yml index ee7d1b4f8..ec4ff9a4e 100644 --- a/yaml/10b1fc3d-c444-4885-8ca9-4b5891885507.yml +++ b/yaml/10b1fc3d-c444-4885-8ca9-4b5891885507.yml @@ -30,6 +30,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: atillk64.sys MD5: 27d21eeff199ed555a29ca0ea4453cfb diff --git a/yaml/127cde1d-905e-4c67-a2c3-04ea4deaea7d.yaml b/yaml/127cde1d-905e-4c67-a2c3-04ea4deaea7d.yaml index 7a808c45f..6c2bc53db 100644 --- a/yaml/127cde1d-905e-4c67-a2c3-04ea4deaea7d.yaml +++ b/yaml/127cde1d-905e-4c67-a2c3-04ea4deaea7d.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: wantd_6.sys MD5: 4b058945c9f2b8d8ebc485add1101ba5 diff --git a/yaml/13637210-2e1c-45a4-9f76-fe38c3c34264.yml b/yaml/13637210-2e1c-45a4-9f76-fe38c3c34264.yml index 863f41924..e7d0c79bc 100644 --- a/yaml/13637210-2e1c-45a4-9f76-fe38c3c34264.yml +++ b/yaml/13637210-2e1c-45a4-9f76-fe38c3c34264.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: HpPortIox64.sys MD5: 7b9e1e5e8ff4f18f84108bb9f7b5d108 diff --git a/yaml/137daca4-0d7b-48aa-8574-f7eb6ad02526.yaml b/yaml/137daca4-0d7b-48aa-8574-f7eb6ad02526.yaml index f849a5fb2..bfd9cea04 100644 --- a/yaml/137daca4-0d7b-48aa-8574-f7eb6ad02526.yaml +++ b/yaml/137daca4-0d7b-48aa-8574-f7eb6ad02526.yaml @@ -31,6 +31,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: speedfan.sys MD5: 5f9785e7535f8f602cb294a54962c9e7 diff --git a/yaml/13973a71-412f-4a18-a2a6-476d3853f8de.yml b/yaml/13973a71-412f-4a18-a2a6-476d3853f8de.yml index 68c2c866a..d79c34a03 100644 --- a/yaml/13973a71-412f-4a18-a2a6-476d3853f8de.yml +++ b/yaml/13973a71-412f-4a18-a2a6-476d3853f8de.yml @@ -17,7 +17,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: AMDRyzenMasterDriver.sys MD5: f16b44cca74d3c3645e4c0a6bb5c0cb9 diff --git a/yaml/16d8962b-cf96-432f-8a43-d41f06828f56.yaml b/yaml/16d8962b-cf96-432f-8a43-d41f06828f56.yaml index 790647a6a..af4198000 100644 --- a/yaml/16d8962b-cf96-432f-8a43-d41f06828f56.yaml +++ b/yaml/16d8962b-cf96-432f-8a43-d41f06828f56.yaml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: '' Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: cpuz.sys MD5: a89ca92145fc330adced0dd005421183 diff --git a/yaml/17cf4fac-88f1-467d-9f62-481d33accc5b.yaml b/yaml/17cf4fac-88f1-467d-9f62-481d33accc5b.yaml index c23adf089..a55e20083 100644 --- a/yaml/17cf4fac-88f1-467d-9f62-481d33accc5b.yaml +++ b/yaml/17cf4fac-88f1-467d-9f62-481d33accc5b.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: otipcibus.sys MD5: d5a642329cce4df94b8dc1ba9660ae34 diff --git a/yaml/19d16518-4aee-4983-ba89-dbbe0fa8a3e7.yaml b/yaml/19d16518-4aee-4983-ba89-dbbe0fa8a3e7.yaml index 29236e395..fcda7b1ed 100644 --- a/yaml/19d16518-4aee-4983-ba89-dbbe0fa8a3e7.yaml +++ b/yaml/19d16518-4aee-4983-ba89-dbbe0fa8a3e7.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: AsrRapidStartDrv.sys MD5: 31469f1313871690e8dc2e8ee4799b22 diff --git a/yaml/1ae6cfc4-ca70-4148-ba1c-e46cc6bfc548.yaml b/yaml/1ae6cfc4-ca70-4148-ba1c-e46cc6bfc548.yaml index 619cbccf6..d466c0206 100644 --- a/yaml/1ae6cfc4-ca70-4148-ba1c-e46cc6bfc548.yaml +++ b/yaml/1ae6cfc4-ca70-4148-ba1c-e46cc6bfc548.yaml @@ -39,6 +39,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: kprocesshacker.sys MD5: 1b5c3c458e31bede55145d0644e88d75 diff --git a/yaml/1c6e1d3b-f825-4065-9e0c-83386883e40f.yaml b/yaml/1c6e1d3b-f825-4065-9e0c-83386883e40f.yaml index 4ed77fe07..e454ce903 100644 --- a/yaml/1c6e1d3b-f825-4065-9e0c-83386883e40f.yaml +++ b/yaml/1c6e1d3b-f825-4065-9e0c-83386883e40f.yaml @@ -35,6 +35,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: rzpnk.sys MD5: 4cc3ddd5ae268d9a154a426af2c23ef9 diff --git a/yaml/1c7631f0-f92f-4be5-8ba7-3eefb0601d45.yaml b/yaml/1c7631f0-f92f-4be5-8ba7-3eefb0601d45.yaml index 260e16d48..3c5b4ce18 100644 --- a/yaml/1c7631f0-f92f-4be5-8ba7-3eefb0601d45.yaml +++ b/yaml/1c7631f0-f92f-4be5-8ba7-3eefb0601d45.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: LHA.sys MD5: 748cf64b95ca83abc35762ad2c25458f diff --git a/yaml/1d2cdef1-de44-4849-80e5-e2fa288df681.yaml b/yaml/1d2cdef1-de44-4849-80e5-e2fa288df681.yaml index 3db9069b2..c308d275c 100644 --- a/yaml/1d2cdef1-de44-4849-80e5-e2fa288df681.yaml +++ b/yaml/1d2cdef1-de44-4849-80e5-e2fa288df681.yaml @@ -38,6 +38,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: iqvw64e.sys MD5: 1898ceda3247213c084f43637ef163b3 diff --git a/yaml/20076ebf-4427-4056-b035-5238f95debe9.yaml b/yaml/20076ebf-4427-4056-b035-5238f95debe9.yaml index ac5be7c9f..be2597b9a 100644 --- a/yaml/20076ebf-4427-4056-b035-5238f95debe9.yaml +++ b/yaml/20076ebf-4427-4056-b035-5238f95debe9.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: BSMIXP64.sys MD5: fac8eb49e2fd541b81fcbdeb98a199cb diff --git a/yaml/205721b7-b83b-414a-b4b5-8bacb4a37777.yaml b/yaml/205721b7-b83b-414a-b4b5-8bacb4a37777.yaml index d1253e359..814563d7a 100644 --- a/yaml/205721b7-b83b-414a-b4b5-8bacb4a37777.yaml +++ b/yaml/205721b7-b83b-414a-b4b5-8bacb4a37777.yaml @@ -33,6 +33,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: elrawdsk.sys MD5: 1493d342e7a36553c56b2adea150949e diff --git a/yaml/214654eb-90c4-48c8-a183-0157e50bf07f.yml b/yaml/214654eb-90c4-48c8-a183-0157e50bf07f.yml index 761164ba6..ddea7e683 100644 --- a/yaml/214654eb-90c4-48c8-a183-0157e50bf07f.yml +++ b/yaml/214654eb-90c4-48c8-a183-0157e50bf07f.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: MsIo64.sys MD5: 88a6d84f4f1cc188741271ac1999a4e9 diff --git a/yaml/22aa985b-5fdb-4e38-9382-a496220c27ec.yaml b/yaml/22aa985b-5fdb-4e38-9382-a496220c27ec.yaml index 39a55e5bf..fcca91804 100644 --- a/yaml/22aa985b-5fdb-4e38-9382-a496220c27ec.yaml +++ b/yaml/22aa985b-5fdb-4e38-9382-a496220c27ec.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: TmComm.sys MD5: 2e1f8a2a80221deb93496a861693c565 diff --git a/yaml/23f11e19-0776-4dd4-9c9c-7f6b60f8553f.yaml b/yaml/23f11e19-0776-4dd4-9c9c-7f6b60f8553f.yaml index baa0c9182..0ebbd3d94 100644 --- a/yaml/23f11e19-0776-4dd4-9c9c-7f6b60f8553f.yaml +++ b/yaml/23f11e19-0776-4dd4-9c9c-7f6b60f8553f.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: ATSZIO.sys MD5: b12d1630fd50b2a21fd91e45d522ba3a diff --git a/yaml/24fb7bab-b8c3-46ea-a370-c84d2f0ff614.yaml b/yaml/24fb7bab-b8c3-46ea-a370-c84d2f0ff614.yaml index b45bf6692..c39dbe505 100644 --- a/yaml/24fb7bab-b8c3-46ea-a370-c84d2f0ff614.yaml +++ b/yaml/24fb7bab-b8c3-46ea-a370-c84d2f0ff614.yaml @@ -32,6 +32,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: ADV64DRV.sys MD5: 778b7feea3c750d44745d3bf294bd4ce diff --git a/yaml/2ada18ae-2c52-49b6-b1a0-cf3b267f6dc7.yml b/yaml/2ada18ae-2c52-49b6-b1a0-cf3b267f6dc7.yml index a5de9c4d0..3e33269a8 100644 --- a/yaml/2ada18ae-2c52-49b6-b1a0-cf3b267f6dc7.yml +++ b/yaml/2ada18ae-2c52-49b6-b1a0-cf3b267f6dc7.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: sfdrvx32.sys MD5: 9f70cd5edcc4efc48ae21e04fb03be9d diff --git a/yaml/2b949a0d-939f-456a-a34f-4589d7712227.yaml b/yaml/2b949a0d-939f-456a-a34f-4589d7712227.yaml index c41b6fb91..b59edabd4 100644 --- a/yaml/2b949a0d-939f-456a-a34f-4589d7712227.yaml +++ b/yaml/2b949a0d-939f-456a-a34f-4589d7712227.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: libnicm.sys MD5: c1fce7aac4e9dd7a730997e2979fa1e2 diff --git a/yaml/2bea1bca-753c-4f09-bc9f-566ab0193f4a.yaml b/yaml/2bea1bca-753c-4f09-bc9f-566ab0193f4a.yaml index b72692070..6f8eb4d5d 100644 --- a/yaml/2bea1bca-753c-4f09-bc9f-566ab0193f4a.yaml +++ b/yaml/2bea1bca-753c-4f09-bc9f-566ab0193f4a.yaml @@ -44,6 +44,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: gdrv.sys MD5: 9ab9f3b75a2eb87fafb1b7361be9dfb3 diff --git a/yaml/2d7c96d3-2d6c-44cd-a8a1-5239f571a24a.yml b/yaml/2d7c96d3-2d6c-44cd-a8a1-5239f571a24a.yml index 92a31fa5d..767be82e3 100644 --- a/yaml/2d7c96d3-2d6c-44cd-a8a1-5239f571a24a.yml +++ b/yaml/2d7c96d3-2d6c-44cd-a8a1-5239f571a24a.yml @@ -27,6 +27,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: HW.sys MD5: 3cf7a55ec897cc938aebb8161cb8e74f diff --git a/yaml/2e4fedb0-30ed-400d-b4e1-b2b2004c1607.yaml b/yaml/2e4fedb0-30ed-400d-b4e1-b2b2004c1607.yaml index 13c2a1672..967b0d0f7 100644 --- a/yaml/2e4fedb0-30ed-400d-b4e1-b2b2004c1607.yaml +++ b/yaml/2e4fedb0-30ed-400d-b4e1-b2b2004c1607.yaml @@ -30,6 +30,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: OpenLibSys.sys MD5: ccf523b951afaa0147f22e2a7aae4976 diff --git a/yaml/2ea12acc-95b6-4f91-afb7-8ded7a2fe9d9.yml b/yaml/2ea12acc-95b6-4f91-afb7-8ded7a2fe9d9.yml index b601ac77c..5773fe376 100644 --- a/yaml/2ea12acc-95b6-4f91-afb7-8ded7a2fe9d9.yml +++ b/yaml/2ea12acc-95b6-4f91-afb7-8ded7a2fe9d9.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: vmdrv.sys MD5: 6d67da13cf84f15f6797ed929dd8cf5d diff --git a/yaml/31686f0e-3748-48c2-be09-fc8f3252e780.yaml b/yaml/31686f0e-3748-48c2-be09-fc8f3252e780.yaml index ec52d160a..9f42b7527 100644 --- a/yaml/31686f0e-3748-48c2-be09-fc8f3252e780.yaml +++ b/yaml/31686f0e-3748-48c2-be09-fc8f3252e780.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: FairplayKD.sys MD5: 4e90cd77509738d30d3181a4d0880bfa diff --git a/yaml/31797996-6973-402d-a4a0-d01ce51e02c0.yaml b/yaml/31797996-6973-402d-a4a0-d01ce51e02c0.yaml index 119012f92..8aef5dced 100644 --- a/yaml/31797996-6973-402d-a4a0-d01ce51e02c0.yaml +++ b/yaml/31797996-6973-402d-a4a0-d01ce51e02c0.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: AsrIbDrv.sys MD5: 5bab40019419a2713298a5c9173e5d30 diff --git a/yaml/3277cecc-f4b4-4a00-be01-9da83e013bcd.yaml b/yaml/3277cecc-f4b4-4a00-be01-9da83e013bcd.yaml index 35dc54bbb..3e83b650d 100644 --- a/yaml/3277cecc-f4b4-4a00-be01-9da83e013bcd.yaml +++ b/yaml/3277cecc-f4b4-4a00-be01-9da83e013bcd.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: wantd_5.sys MD5: 6d131a7462e568213b44ef69156f10a5 diff --git a/yaml/32ccd436-eb13-4ab3-83d4-3e5471f4e364.yaml b/yaml/32ccd436-eb13-4ab3-83d4-3e5471f4e364.yaml index fd3c9f1e4..9c6e70c57 100644 --- a/yaml/32ccd436-eb13-4ab3-83d4-3e5471f4e364.yaml +++ b/yaml/32ccd436-eb13-4ab3-83d4-3e5471f4e364.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: AsrDrv103.sys MD5: 7c72a7e1d42b0790773efd8700e24952 diff --git a/yaml/33a9c9ae-5ca3-442d-9f0f-2615637c1c57.yaml b/yaml/33a9c9ae-5ca3-442d-9f0f-2615637c1c57.yaml index 2f660d3b7..c61399143 100644 --- a/yaml/33a9c9ae-5ca3-442d-9f0f-2615637c1c57.yaml +++ b/yaml/33a9c9ae-5ca3-442d-9f0f-2615637c1c57.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: ntbios_2.sys MD5: 50b39072d0ee9af5ef4824eca34be6e3 diff --git a/yaml/351ff5ca-f07b-4eb6-9300-d5d31514defb.yaml b/yaml/351ff5ca-f07b-4eb6-9300-d5d31514defb.yaml index a7a8b734e..8c8720eff 100644 --- a/yaml/351ff5ca-f07b-4eb6-9300-d5d31514defb.yaml +++ b/yaml/351ff5ca-f07b-4eb6-9300-d5d31514defb.yaml @@ -31,6 +31,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: nscm.sys MD5: 4a23e0f2c6f926a41b28d574cbc6ac30 diff --git a/yaml/39742f99-2180-46d7-8538-56667c935cc3.yaml b/yaml/39742f99-2180-46d7-8538-56667c935cc3.yaml index 384b4e5d3..18bb7c743 100644 --- a/yaml/39742f99-2180-46d7-8538-56667c935cc3.yaml +++ b/yaml/39742f99-2180-46d7-8538-56667c935cc3.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: viragt.sys MD5: e79c91c27df3eaf82fb7bd1280172517 diff --git a/yaml/3ab0d182-6365-47a7-89f4-34121e889503.yaml b/yaml/3ab0d182-6365-47a7-89f4-34121e889503.yaml index 59491e614..fc1b84f45 100644 --- a/yaml/3ab0d182-6365-47a7-89f4-34121e889503.yaml +++ b/yaml/3ab0d182-6365-47a7-89f4-34121e889503.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: HwOs2Ec10x64.sys MD5: 37086ae5244442ba552803984a11d6cb diff --git a/yaml/3ac0eda2-a844-4a9d-9cfa-c25a9e05d678.yaml b/yaml/3ac0eda2-a844-4a9d-9cfa-c25a9e05d678.yaml index 747da87f5..ea04bb474 100644 --- a/yaml/3ac0eda2-a844-4a9d-9cfa-c25a9e05d678.yaml +++ b/yaml/3ac0eda2-a844-4a9d-9cfa-c25a9e05d678.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: Bs_Def.sys MD5: a9f220b1507a3c9a327a99995ff99c82 diff --git a/yaml/3bc629e8-7bf8-40c2-965b-87eb155e0065.yaml b/yaml/3bc629e8-7bf8-40c2-965b-87eb155e0065.yaml index 51e64f5ac..763fcda34 100644 --- a/yaml/3bc629e8-7bf8-40c2-965b-87eb155e0065.yaml +++ b/yaml/3bc629e8-7bf8-40c2-965b-87eb155e0065.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: mtcBSv64.sys MD5: 9dfd73dadb2f1c7e9c9d2542981aaa63 diff --git a/yaml/3e0bf6dc-791b-4170-8c40-427e7299d93d.yaml b/yaml/3e0bf6dc-791b-4170-8c40-427e7299d93d.yaml index 2009358b7..964313a68 100644 --- a/yaml/3e0bf6dc-791b-4170-8c40-427e7299d93d.yaml +++ b/yaml/3e0bf6dc-791b-4170-8c40-427e7299d93d.yaml @@ -37,6 +37,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: KfeCo10X64.sys MD5: 697f698b59f32f66cd8166e43a5c49c7 diff --git a/yaml/3f39af20-802a-4909-a5de-7f6fe7aab350.yaml b/yaml/3f39af20-802a-4909-a5de-7f6fe7aab350.yaml index 1aac556e1..fd3e9e2f0 100644 --- a/yaml/3f39af20-802a-4909-a5de-7f6fe7aab350.yaml +++ b/yaml/3f39af20-802a-4909-a5de-7f6fe7aab350.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: AsrOmgDrv.sys MD5: 4f27c09cc8680e06b04d6a9c34ca1e08 diff --git a/yaml/40bfb01b-d251-4c2c-952e-052a89a76f5b.yaml b/yaml/40bfb01b-d251-4c2c-952e-052a89a76f5b.yaml index 17155b5b7..61ecf9413 100644 --- a/yaml/40bfb01b-d251-4c2c-952e-052a89a76f5b.yaml +++ b/yaml/40bfb01b-d251-4c2c-952e-052a89a76f5b.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: PanMonFltX64.sys MD5: 0067c788e1cb174f008c325ebde56c22 diff --git a/yaml/43d0af25-c066-471f-bb73-6ce25dc7e0eb.yaml b/yaml/43d0af25-c066-471f-bb73-6ce25dc7e0eb.yaml index 0cd6f7107..0ddcc253c 100644 --- a/yaml/43d0af25-c066-471f-bb73-6ce25dc7e0eb.yaml +++ b/yaml/43d0af25-c066-471f-bb73-6ce25dc7e0eb.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: Dh_Kernel.sys MD5: 98763a3dee3cf03de334f00f95fc071a diff --git a/yaml/47724cc1-bf75-4ab7-a47a-355a9aa30de1.yaml b/yaml/47724cc1-bf75-4ab7-a47a-355a9aa30de1.yaml index 9525f92b1..e0279eb7c 100644 --- a/yaml/47724cc1-bf75-4ab7-a47a-355a9aa30de1.yaml +++ b/yaml/47724cc1-bf75-4ab7-a47a-355a9aa30de1.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: BSMIx64.sys MD5: 444f538daa9f7b340cfd43974ed43690 diff --git a/yaml/47a351ee-8abe-40d8-bc2b-557390fa0945.yaml b/yaml/47a351ee-8abe-40d8-bc2b-557390fa0945.yaml index 476ffa5bb..fcaaed792 100644 --- a/yaml/47a351ee-8abe-40d8-bc2b-557390fa0945.yaml +++ b/yaml/47a351ee-8abe-40d8-bc2b-557390fa0945.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: Lv561av.sys MD5: b47dee29b5e6e1939567a926c7a3e6a4 diff --git a/yaml/47fe1aaf-02cd-4a41-8bf5-0047015a2a6e.yaml b/yaml/47fe1aaf-02cd-4a41-8bf5-0047015a2a6e.yaml index b2f83e00c..5be906ff2 100644 --- a/yaml/47fe1aaf-02cd-4a41-8bf5-0047015a2a6e.yaml +++ b/yaml/47fe1aaf-02cd-4a41-8bf5-0047015a2a6e.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: phymem64.sys MD5: 2c54859a67306e20bfdc8887b537de72 diff --git a/yaml/48bc2815-85ec-4436-a51a-69810c8cb171.yaml b/yaml/48bc2815-85ec-4436-a51a-69810c8cb171.yaml index e1fc35763..f98de0907 100644 --- a/yaml/48bc2815-85ec-4436-a51a-69810c8cb171.yaml +++ b/yaml/48bc2815-85ec-4436-a51a-69810c8cb171.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: driver7-x64.sys MD5: 715f8efab1d1c660e4188055c4b28eed diff --git a/yaml/4a80da66-f8f1-4af9-ba56-696cfe6c1e10.yaml b/yaml/4a80da66-f8f1-4af9-ba56-696cfe6c1e10.yaml index c1cf8a597..c2f22ed99 100644 --- a/yaml/4a80da66-f8f1-4af9-ba56-696cfe6c1e10.yaml +++ b/yaml/4a80da66-f8f1-4af9-ba56-696cfe6c1e10.yaml @@ -32,6 +32,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: BS_Def64.sys MD5: 8abbb12e61045984eda19e2dc77b235e diff --git a/yaml/4bf4b425-10af-4cd4-88e6-beb4b947eb48.yaml b/yaml/4bf4b425-10af-4cd4-88e6-beb4b947eb48.yaml index 6206ae62f..ebb84a39a 100644 --- a/yaml/4bf4b425-10af-4cd4-88e6-beb4b947eb48.yaml +++ b/yaml/4bf4b425-10af-4cd4-88e6-beb4b947eb48.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: IObitUnlocker.sys MD5: 2391fb461b061d0e5fccb050d4af7941 diff --git a/yaml/4d365dd0-34c3-492e-a2bd-c16266796ae5.yaml b/yaml/4d365dd0-34c3-492e-a2bd-c16266796ae5.yaml index 98e6eee97..585e22e51 100644 --- a/yaml/4d365dd0-34c3-492e-a2bd-c16266796ae5.yaml +++ b/yaml/4d365dd0-34c3-492e-a2bd-c16266796ae5.yaml @@ -32,6 +32,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: ALSysIO64.sys MD5: 13dda15ef67eb265869fc371c72d6ef0 diff --git a/yaml/4db827b1-325b-444d-9f23-171285a4d12f.yaml b/yaml/4db827b1-325b-444d-9f23-171285a4d12f.yaml index d40ea7036..5b01414dc 100644 --- a/yaml/4db827b1-325b-444d-9f23-171285a4d12f.yaml +++ b/yaml/4db827b1-325b-444d-9f23-171285a4d12f.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: VProEventMonitor.sys MD5: cd9f0fcecf1664facb3671c0130dc8bb diff --git a/yaml/4dd3289c-522c-4fce-b48e-5370efc90fa1.yml b/yaml/4dd3289c-522c-4fce-b48e-5370efc90fa1.yml index 2aa54e5ab..594b5ec9a 100644 --- a/yaml/4dd3289c-522c-4fce-b48e-5370efc90fa1.yml +++ b/yaml/4dd3289c-522c-4fce-b48e-5370efc90fa1.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: iQVW64.SYS MD5: c796a92a66ec725b7b7febbdc13dc69b diff --git a/yaml/51c342f3-0b91-4674-8f81-bc016855f30f.yaml b/yaml/51c342f3-0b91-4674-8f81-bc016855f30f.yaml index e858eb300..b39daff22 100644 --- a/yaml/51c342f3-0b91-4674-8f81-bc016855f30f.yaml +++ b/yaml/51c342f3-0b91-4674-8f81-bc016855f30f.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: AsrDrv101.sys MD5: 1a234f4643f5658bab07bfa611282267 diff --git a/yaml/54d67d79-0268-4c5f-be7e-0f74cd20828a.yaml b/yaml/54d67d79-0268-4c5f-be7e-0f74cd20828a.yaml index a1c207f07..b8d4caaab 100644 --- a/yaml/54d67d79-0268-4c5f-be7e-0f74cd20828a.yaml +++ b/yaml/54d67d79-0268-4c5f-be7e-0f74cd20828a.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: NTIOLib_X64.sys MD5: c02f70960fa934b8defa16a03d7f6556 diff --git a/yaml/57f63efb-dc43-4dba-9413-173e3e4be750.yaml b/yaml/57f63efb-dc43-4dba-9413-173e3e4be750.yaml index 31a304ee3..fb174b48b 100644 --- a/yaml/57f63efb-dc43-4dba-9413-173e3e4be750.yaml +++ b/yaml/57f63efb-dc43-4dba-9413-173e3e4be750.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: AsrSmartConnectDrv.sys MD5: 56a515173b211832e20fbc64e5a0447c diff --git a/yaml/57fc510a-e649-4599-b83e-8f3605e3d1d9.yaml b/yaml/57fc510a-e649-4599-b83e-8f3605e3d1d9.yaml index 2760602e4..45f5ce8dd 100644 --- a/yaml/57fc510a-e649-4599-b83e-8f3605e3d1d9.yaml +++ b/yaml/57fc510a-e649-4599-b83e-8f3605e3d1d9.yaml @@ -35,6 +35,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: aswArPot.sys MD5: a179c4093d05a3e1ee73f6ff07f994aa diff --git a/yaml/5943b267-64f3-40d4-8669-354f23dec122.yaml b/yaml/5943b267-64f3-40d4-8669-354f23dec122.yaml index 42756ee5d..dec721e0a 100644 --- a/yaml/5943b267-64f3-40d4-8669-354f23dec122.yaml +++ b/yaml/5943b267-64f3-40d4-8669-354f23dec122.yaml @@ -36,6 +36,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: Agent64.sys MD5: 8407ddfab85ae664e507c30314090385 diff --git a/yaml/5969b6dc-b136-480e-a527-3cb2ea2f0da9.yaml b/yaml/5969b6dc-b136-480e-a527-3cb2ea2f0da9.yaml index 45b365929..5036786b4 100644 --- a/yaml/5969b6dc-b136-480e-a527-3cb2ea2f0da9.yaml +++ b/yaml/5969b6dc-b136-480e-a527-3cb2ea2f0da9.yaml @@ -35,6 +35,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: hw.sys MD5: 3247014ba35d406475311a2eab0c4657 diff --git a/yaml/5af9abf0-d8de-4e9b-8141-e9e97a31901a.yaml b/yaml/5af9abf0-d8de-4e9b-8141-e9e97a31901a.yaml index ec5a453f4..85b0a83ba 100644 --- a/yaml/5af9abf0-d8de-4e9b-8141-e9e97a31901a.yaml +++ b/yaml/5af9abf0-d8de-4e9b-8141-e9e97a31901a.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: AsrDrv102.sys MD5: 76bb1a4332666222a8e3e1339e267179 diff --git a/yaml/5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae.yaml b/yaml/5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae.yaml index 7181dd3b1..4aa3f3b44 100644 --- a/yaml/5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae.yaml +++ b/yaml/5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: PanIO.sys MD5: 9a9dbf5107848c254381be67a4c1b1dd diff --git a/yaml/613b8509-18c0-4720-b489-736776b6713e.yml b/yaml/613b8509-18c0-4720-b489-736776b6713e.yml index 28e483cf4..f1061a5b2 100644 --- a/yaml/613b8509-18c0-4720-b489-736776b6713e.yml +++ b/yaml/613b8509-18c0-4720-b489-736776b6713e.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: gdrv.sys MD5: b0954711c133d284a171dd560c8f492a diff --git a/yaml/61514cbd-6f34-4a3e-a022-9ecbccc16feb.yaml b/yaml/61514cbd-6f34-4a3e-a022-9ecbccc16feb.yaml index ea8f043e7..f4a1a4ee2 100644 --- a/yaml/61514cbd-6f34-4a3e-a022-9ecbccc16feb.yaml +++ b/yaml/61514cbd-6f34-4a3e-a022-9ecbccc16feb.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: atillk64.sys MD5: 62f02339fe267dc7438f603bfb5431a1 diff --git a/yaml/66be9e0a-9246-4404-b5b5-7fbde351668f.yml b/yaml/66be9e0a-9246-4404-b5b5-7fbde351668f.yml index 4da20cf2f..868862d7a 100644 --- a/yaml/66be9e0a-9246-4404-b5b5-7fbde351668f.yml +++ b/yaml/66be9e0a-9246-4404-b5b5-7fbde351668f.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: BS_I2cIo.sys MD5: 3c4154866f3d483fdc9f4f64ef868888 diff --git a/yaml/670dc258-78b5-4552-a16b-b41917c86f8d.yaml b/yaml/670dc258-78b5-4552-a16b-b41917c86f8d.yaml index 0baad5400..0f9fac7e6 100644 --- a/yaml/670dc258-78b5-4552-a16b-b41917c86f8d.yaml +++ b/yaml/670dc258-78b5-4552-a16b-b41917c86f8d.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: driver7-x86.sys MD5: 1f950cfd5ed8dd9de3de004f5416fe20 diff --git a/yaml/6a50e368-1120-434b-9232-1a0702c80437.yaml b/yaml/6a50e368-1120-434b-9232-1a0702c80437.yaml index 0f132c4b6..82254085b 100644 --- a/yaml/6a50e368-1120-434b-9232-1a0702c80437.yaml +++ b/yaml/6a50e368-1120-434b-9232-1a0702c80437.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: AsrDrv106.sys MD5: 12908c285b9d68ee1f39186110df0f1e diff --git a/yaml/6d21df78-d718-44df-b722-99eec654f5b2.yaml b/yaml/6d21df78-d718-44df-b722-99eec654f5b2.yaml index a83dbd0f8..8299bfff0 100644 --- a/yaml/6d21df78-d718-44df-b722-99eec654f5b2.yaml +++ b/yaml/6d21df78-d718-44df-b722-99eec654f5b2.yaml @@ -35,6 +35,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: MsIo64.sys MD5: dc943bf367ae77016ae399df8e71d38a diff --git a/yaml/6ec5ddda-f302-4008-a73e-12814c1d571f.yml b/yaml/6ec5ddda-f302-4008-a73e-12814c1d571f.yml index f6c2f6364..44f067ff0 100644 --- a/yaml/6ec5ddda-f302-4008-a73e-12814c1d571f.yml +++ b/yaml/6ec5ddda-f302-4008-a73e-12814c1d571f.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: ATSZIO.sys MD5: 17b97fbe2e8834d7ad30211635e1b271 diff --git a/yaml/6fc3034f-8b40-44ef-807a-f61d3ea2dece.yaml b/yaml/6fc3034f-8b40-44ef-807a-f61d3ea2dece.yaml index b7596793d..47a9d4fb0 100644 --- a/yaml/6fc3034f-8b40-44ef-807a-f61d3ea2dece.yaml +++ b/yaml/6fc3034f-8b40-44ef-807a-f61d3ea2dece.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: NBIOLib_X64.sys MD5: f2f728d2f69765f5dfda913d407783d2 diff --git a/yaml/70acea34-7ed2-42d5-885c-eca3c2de640c.yaml b/yaml/70acea34-7ed2-42d5-885c-eca3c2de640c.yaml index 649e80f21..5a610d786 100644 --- a/yaml/70acea34-7ed2-42d5-885c-eca3c2de640c.yaml +++ b/yaml/70acea34-7ed2-42d5-885c-eca3c2de640c.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: Sense5Ext.sys MD5: f9844524fb0009e5b784c21c7bad4220 diff --git a/yaml/72637cb1-5ca2-4ad0-a5df-20da17b231b5.yaml b/yaml/72637cb1-5ca2-4ad0-a5df-20da17b231b5.yaml index 755f63450..b42f8363f 100644 --- a/yaml/72637cb1-5ca2-4ad0-a5df-20da17b231b5.yaml +++ b/yaml/72637cb1-5ca2-4ad0-a5df-20da17b231b5.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: wantd_4.sys MD5: 79df0eabbf2895e4e2dae15a4772868c diff --git a/yaml/73196456-40ae-4b6d-8562-07cf99458a7d.yml b/yaml/73196456-40ae-4b6d-8562-07cf99458a7d.yml index db10636dd..ac3396439 100644 --- a/yaml/73196456-40ae-4b6d-8562-07cf99458a7d.yml +++ b/yaml/73196456-40ae-4b6d-8562-07cf99458a7d.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: kEvP64.sys MD5: 4ff880566f22919ed94ffae215d39da5 diff --git a/yaml/76b5dfae-b384-45ce-8646-b2eec6b76a1e.yaml b/yaml/76b5dfae-b384-45ce-8646-b2eec6b76a1e.yaml index 28ff5ea0d..f7f8c7f73 100644 --- a/yaml/76b5dfae-b384-45ce-8646-b2eec6b76a1e.yaml +++ b/yaml/76b5dfae-b384-45ce-8646-b2eec6b76a1e.yaml @@ -37,6 +37,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: KfeCo11X64.sys MD5: c901887f28bbb55a10eb934755b47227 diff --git a/yaml/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2.yml b/yaml/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2.yml index 5410645e8..1bce372ba 100644 --- a/yaml/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2.yml +++ b/yaml/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: VBoxDrv.sys MD5: b1b8e6b85dd03c7f1290b1a071fc79c1 diff --git a/yaml/7a722cd5-69ec-4680-9f20-9387f249a891.yml b/yaml/7a722cd5-69ec-4680-9f20-9387f249a891.yml index ff810c9a0..7e0aa42d9 100644 --- a/yaml/7a722cd5-69ec-4680-9f20-9387f249a891.yml +++ b/yaml/7a722cd5-69ec-4680-9f20-9387f249a891.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: ElbyCDIO.sys MD5: 702d5606cf2199e0edea6f0e0d27cd10 diff --git a/yaml/7bb5ff05-25f8-410d-ae99-c8e8f082d24f.yaml b/yaml/7bb5ff05-25f8-410d-ae99-c8e8f082d24f.yaml index e95b4d366..801cb6845 100644 --- a/yaml/7bb5ff05-25f8-410d-ae99-c8e8f082d24f.yaml +++ b/yaml/7bb5ff05-25f8-410d-ae99-c8e8f082d24f.yaml @@ -32,6 +32,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: WinRing0.sys MD5: 828bb9cb1dd449cd65a29b18ec46055f diff --git a/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml b/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml index 92c76c9f6..7036cde90 100644 --- a/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml +++ b/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml @@ -32,6 +32,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: gmer64.sys MD5: a822b9e6eedf69211013e192967bf523 diff --git a/yaml/7edb5602-239f-460a-89d6-363ff1059765.yml b/yaml/7edb5602-239f-460a-89d6-363ff1059765.yml index dfdd240bf..24b93849d 100644 --- a/yaml/7edb5602-239f-460a-89d6-363ff1059765.yml +++ b/yaml/7edb5602-239f-460a-89d6-363ff1059765.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: viragt64.sys MD5: 779af226b7b72ff9d78ce1f03d4a3389 diff --git a/yaml/7f645b95-4374-47ae-be1a-e4415308b550.yaml b/yaml/7f645b95-4374-47ae-be1a-e4415308b550.yaml index 458b252eb..d5743ed47 100644 --- a/yaml/7f645b95-4374-47ae-be1a-e4415308b550.yaml +++ b/yaml/7f645b95-4374-47ae-be1a-e4415308b550.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: WCPU.sys MD5: c1d063c9422a19944cdaa6714623f2ec diff --git a/yaml/7f9842a0-8118-462e-8860-227265ff4379.yml b/yaml/7f9842a0-8118-462e-8860-227265ff4379.yml index c1cbc1705..25887baf2 100644 --- a/yaml/7f9842a0-8118-462e-8860-227265ff4379.yml +++ b/yaml/7f9842a0-8118-462e-8860-227265ff4379.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: NTIOLib.sys MD5: 4d99d02f49e027332a0a9c31c674e13b diff --git a/yaml/81a73e57-2e92-4d21-97d3-1c21eb4c3aea.yaml b/yaml/81a73e57-2e92-4d21-97d3-1c21eb4c3aea.yaml index 4482ab114..5d186a7e3 100644 --- a/yaml/81a73e57-2e92-4d21-97d3-1c21eb4c3aea.yaml +++ b/yaml/81a73e57-2e92-4d21-97d3-1c21eb4c3aea.yaml @@ -33,6 +33,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: LenovoDiagnosticsDriver.sys MD5: b941c8364308990ee4cc6eadf7214e0f diff --git a/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml b/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml index d8ec0518c..f13fdcd31 100644 --- a/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml +++ b/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml @@ -32,6 +32,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: elbycdio.sys MD5: ae5eb2759305402821aeddc52ba9a6d6 diff --git a/yaml/86cff0de-2536-4b8d-a846-a7312c569597.yaml b/yaml/86cff0de-2536-4b8d-a846-a7312c569597.yaml index b6fbcdeb3..cea6e2bcc 100644 --- a/yaml/86cff0de-2536-4b8d-a846-a7312c569597.yaml +++ b/yaml/86cff0de-2536-4b8d-a846-a7312c569597.yaml @@ -31,6 +31,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: nicm.sys MD5: 22823fed979903f8dfe3b5d28537eb47 diff --git a/yaml/87752fb8-e9f6-4235-91e2-c4343677d817.yaml b/yaml/87752fb8-e9f6-4235-91e2-c4343677d817.yaml index 6cc638a6e..19189c022 100644 --- a/yaml/87752fb8-e9f6-4235-91e2-c4343677d817.yaml +++ b/yaml/87752fb8-e9f6-4235-91e2-c4343677d817.yaml @@ -31,6 +31,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: mimidrv.sys MD5: 29e03f4811b64969e48a99300978f58c diff --git a/yaml/892292f9-b87c-40a5-80e5-8c9b02914e8b.yaml b/yaml/892292f9-b87c-40a5-80e5-8c9b02914e8b.yaml index cf618bee6..767708e74 100644 --- a/yaml/892292f9-b87c-40a5-80e5-8c9b02914e8b.yaml +++ b/yaml/892292f9-b87c-40a5-80e5-8c9b02914e8b.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: wantd.sys MD5: b0770094c3c64250167b55e4db850c04 diff --git a/yaml/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025.yml b/yaml/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025.yml index 68df0b8f8..f222120f1 100644 --- a/yaml/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025.yml +++ b/yaml/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025.yml @@ -35,6 +35,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: rtkio64.sys MD5: 7aa34cd9ea5649c24a814e292b270b6f diff --git a/yaml/8ff4ab50-05b7-4bfa-b994-1920c4ed4978.yaml b/yaml/8ff4ab50-05b7-4bfa-b994-1920c4ed4978.yaml index 319c6f4d4..32f99026e 100644 --- a/yaml/8ff4ab50-05b7-4bfa-b994-1920c4ed4978.yaml +++ b/yaml/8ff4ab50-05b7-4bfa-b994-1920c4ed4978.yaml @@ -31,6 +31,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: ncpl.sys MD5: a26e600652c33dd054731b4693bf5b01 diff --git a/yaml/9074a02a-b1ca-4bfb-8918-5b88e91c04a2.yaml b/yaml/9074a02a-b1ca-4bfb-8918-5b88e91c04a2.yaml index 854cb4fd1..c9fd9b71f 100644 --- a/yaml/9074a02a-b1ca-4bfb-8918-5b88e91c04a2.yaml +++ b/yaml/9074a02a-b1ca-4bfb-8918-5b88e91c04a2.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: superbmc.sys MD5: 3473faea65fba5d4fbe54c0898a3c044 diff --git a/yaml/90afa27c-0f67-46a6-b4a9-809f55157c71.yml b/yaml/90afa27c-0f67-46a6-b4a9-809f55157c71.yml index 91b907c6a..bc829fc1d 100644 --- a/yaml/90afa27c-0f67-46a6-b4a9-809f55157c71.yml +++ b/yaml/90afa27c-0f67-46a6-b4a9-809f55157c71.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: nscm.sys MD5: ba2c0fa201c74621cddd8638497b3c70 diff --git a/yaml/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f.yaml b/yaml/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f.yaml index 36c3c96b7..e1f88c38c 100644 --- a/yaml/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f.yaml +++ b/yaml/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f.yaml @@ -32,6 +32,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: inpoutx64.sys MD5: 4d487f77be4471900d6ccbc47242cc25 diff --git a/yaml/93740202-930c-4ab4-8603-8ec9532c5415.yaml b/yaml/93740202-930c-4ab4-8603-8ec9532c5415.yaml index f71d0d208..61ab167fe 100644 --- a/yaml/93740202-930c-4ab4-8603-8ec9532c5415.yaml +++ b/yaml/93740202-930c-4ab4-8603-8ec9532c5415.yaml @@ -20,7 +20,17 @@ Resources: Acknowledgement: Person: '' Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: WinTapix.sys MD5: 3dd829fb27353622eff34be1eabb8f18 diff --git a/yaml/93c84c08-4683-493d-abf7-22dc2d1cb567.yaml b/yaml/93c84c08-4683-493d-abf7-22dc2d1cb567.yaml index e72f8f3cd..fcbf8d855 100644 --- a/yaml/93c84c08-4683-493d-abf7-22dc2d1cb567.yaml +++ b/yaml/93c84c08-4683-493d-abf7-22dc2d1cb567.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: PanIOx64.sys MD5: 0d6fef14f8e1ce5753424bd22c46b1ce diff --git a/yaml/999a11ae-ec2b-4863-baa4-1384ec2b7339.yaml b/yaml/999a11ae-ec2b-4863-baa4-1384ec2b7339.yaml index e5c417c7f..aef6977b6 100644 --- a/yaml/999a11ae-ec2b-4863-baa4-1384ec2b7339.yaml +++ b/yaml/999a11ae-ec2b-4863-baa4-1384ec2b7339.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: NalDrv.sys MD5: 1898ceda3247213c084f43637ef163b3 diff --git a/yaml/9a4fb66e-9084-4b21-9d76-a7afbe330606.yaml b/yaml/9a4fb66e-9084-4b21-9d76-a7afbe330606.yaml index 3f966efc4..f89e15959 100644 --- a/yaml/9a4fb66e-9084-4b21-9d76-a7afbe330606.yaml +++ b/yaml/9a4fb66e-9084-4b21-9d76-a7afbe330606.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: AMDPowerProfiler.sys MD5: e4266262a77fffdea2584283f6c4f51d diff --git a/yaml/9c3c6e89-3916-498f-81e5-da057ab3ed42.yaml b/yaml/9c3c6e89-3916-498f-81e5-da057ab3ed42.yaml index 1ca88bcb0..bc8534699 100644 --- a/yaml/9c3c6e89-3916-498f-81e5-da057ab3ed42.yaml +++ b/yaml/9c3c6e89-3916-498f-81e5-da057ab3ed42.yaml @@ -33,6 +33,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: windbg.sys MD5: 88bea56ae9257b40063785cf47546024 diff --git a/yaml/9e87b6b0-00ed-4259-bcd7-05e2c924d58c.yaml b/yaml/9e87b6b0-00ed-4259-bcd7-05e2c924d58c.yaml index 12fcd44c0..c8fdc720a 100644 --- a/yaml/9e87b6b0-00ed-4259-bcd7-05e2c924d58c.yaml +++ b/yaml/9e87b6b0-00ed-4259-bcd7-05e2c924d58c.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: BSMEMx64.sys MD5: 49fe3d1f3d5c2e50a0df0f6e8436d778 diff --git a/yaml/a02ee964-a21e-4b08-9c98-a730c90bfd53.yml b/yaml/a02ee964-a21e-4b08-9c98-a730c90bfd53.yml index fac8f8641..b04956386 100644 --- a/yaml/a02ee964-a21e-4b08-9c98-a730c90bfd53.yml +++ b/yaml/a02ee964-a21e-4b08-9c98-a730c90bfd53.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: Michael Alfaro Handle: '@_mmpte_software' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: LMIinfo.sys MD5: d4f7c14e92b36c341c41ae93159407dd diff --git a/yaml/a0fbd397-64d5-4af2-844b-b096e08a1866.yml b/yaml/a0fbd397-64d5-4af2-844b-b096e08a1866.yml index 4c708c2e3..bc4c3cd2a 100644 --- a/yaml/a0fbd397-64d5-4af2-844b-b096e08a1866.yml +++ b/yaml/a0fbd397-64d5-4af2-844b-b096e08a1866.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: libnicm.sys MD5: 7a6a6d6921cd1a4e1d61f9672a4560d6 diff --git a/yaml/a22104a8-126d-449f-ba3e-28678c60c587.yaml b/yaml/a22104a8-126d-449f-ba3e-28678c60c587.yaml index 10dab19e3..f13fdb035 100644 --- a/yaml/a22104a8-126d-449f-ba3e-28678c60c587.yaml +++ b/yaml/a22104a8-126d-449f-ba3e-28678c60c587.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: wantd_3.sys MD5: fb7c61ef427f9b2fdff3574ee6b1819b diff --git a/yaml/a261cd64-0d04-4bf5-ad73-f3bb96bf83cf.yaml b/yaml/a261cd64-0d04-4bf5-ad73-f3bb96bf83cf.yaml index 23b9eccbe..ec642fd7b 100644 --- a/yaml/a261cd64-0d04-4bf5-ad73-f3bb96bf83cf.yaml +++ b/yaml/a261cd64-0d04-4bf5-ad73-f3bb96bf83cf.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: PCHunter.sys MD5: c2c1b8c00b99e913d992a870ed478a24 diff --git a/yaml/a285591e-ad3c-46a3-a648-c58589ff5efc.yaml b/yaml/a285591e-ad3c-46a3-a648-c58589ff5efc.yaml index e249b41f7..e5d7da0ca 100644 --- a/yaml/a285591e-ad3c-46a3-a648-c58589ff5efc.yaml +++ b/yaml/a285591e-ad3c-46a3-a648-c58589ff5efc.yaml @@ -27,6 +27,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: amsdk.sys MD5: eb525d99a31eb4fff09814e83593a494 diff --git a/yaml/a33de377-d2c2-4c71-98ca-cd0be8d284f9.yaml b/yaml/a33de377-d2c2-4c71-98ca-cd0be8d284f9.yaml index 96eb4d9bf..beaef3674 100644 --- a/yaml/a33de377-d2c2-4c71-98ca-cd0be8d284f9.yaml +++ b/yaml/a33de377-d2c2-4c71-98ca-cd0be8d284f9.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: BS_I2cIo.sys MD5: 83601bbe5563d92c1fdb4e960d84dc77 diff --git a/yaml/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f.yaml b/yaml/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f.yaml index d4ab455ea..a9f5db4e5 100644 --- a/yaml/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f.yaml +++ b/yaml/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f.yaml @@ -27,6 +27,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: segwindrvx64.sys MD5: 4ae55080ec8aed49343e40d08370195c diff --git a/yaml/a5ebba11-5a31-48d2-9c6d-78bba397edf1.yaml b/yaml/a5ebba11-5a31-48d2-9c6d-78bba397edf1.yaml index 2361923f8..b0921c551 100644 --- a/yaml/a5ebba11-5a31-48d2-9c6d-78bba397edf1.yaml +++ b/yaml/a5ebba11-5a31-48d2-9c6d-78bba397edf1.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: PcieCubed.sys MD5: 22949977ce5cd96ba674b403a9c81285 diff --git a/yaml/a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0.yaml b/yaml/a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0.yaml index 56eb5e653..c6108a992 100644 --- a/yaml/a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0.yaml +++ b/yaml/a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: BS_HWMIO64_W10.sys MD5: d2588631d8aae2a3e54410eaf54f0679 diff --git a/yaml/a7628504-9e35-4e42-91f7-0c0a512549f4.yml b/yaml/a7628504-9e35-4e42-91f7-0c0a512549f4.yml index 366c0ed9f..8282d1d9d 100644 --- a/yaml/a7628504-9e35-4e42-91f7-0c0a512549f4.yml +++ b/yaml/a7628504-9e35-4e42-91f7-0c0a512549f4.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: SANDRA MD5: c842827d4704a5ef53a809463254e1cc diff --git a/yaml/a7775cbe-624b-4b04-b74f-969f77c2ac02.yaml b/yaml/a7775cbe-624b-4b04-b74f-969f77c2ac02.yaml index 2f407c8ec..f046949bf 100644 --- a/yaml/a7775cbe-624b-4b04-b74f-969f77c2ac02.yaml +++ b/yaml/a7775cbe-624b-4b04-b74f-969f77c2ac02.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: viragt64.sys MD5: 43830326cd5fae66f5508e27cbec39a0 diff --git a/yaml/a7bba474-815f-49be-bddc-4d76a64c866c.yaml b/yaml/a7bba474-815f-49be-bddc-4d76a64c866c.yaml index af41754a9..44434c684 100644 --- a/yaml/a7bba474-815f-49be-bddc-4d76a64c866c.yaml +++ b/yaml/a7bba474-815f-49be-bddc-4d76a64c866c.yaml @@ -110,6 +110,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: NTIOLib.sys MD5: 6126065af2fc2639473d12ee3c0c198e diff --git a/yaml/a845a05c-5357-4b78-9783-16b4d34b2cb0.yaml b/yaml/a845a05c-5357-4b78-9783-16b4d34b2cb0.yaml index d5ca3b587..226adc331 100644 --- a/yaml/a845a05c-5357-4b78-9783-16b4d34b2cb0.yaml +++ b/yaml/a845a05c-5357-4b78-9783-16b4d34b2cb0.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: aswVmm.sys MD5: a5f637d61719d37a5b4868c385e363c0 diff --git a/yaml/a9d9cbb7-b5f6-4e74-97a5-29993263280e.yml b/yaml/a9d9cbb7-b5f6-4e74-97a5-29993263280e.yml index 7ab549886..1219f11b2 100644 --- a/yaml/a9d9cbb7-b5f6-4e74-97a5-29993263280e.yml +++ b/yaml/a9d9cbb7-b5f6-4e74-97a5-29993263280e.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: CorsairLLAccess64.sys MD5: b34361d151c793415ef92ee5d368c053 diff --git a/yaml/aa687f89-4f3b-4b59-b64e-fee5e2ae2310.yaml b/yaml/aa687f89-4f3b-4b59-b64e-fee5e2ae2310.yaml index 4319dc5eb..ed940a1ac 100644 --- a/yaml/aa687f89-4f3b-4b59-b64e-fee5e2ae2310.yaml +++ b/yaml/aa687f89-4f3b-4b59-b64e-fee5e2ae2310.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: wantd_2.sys MD5: 8636fe3724f2bcba9399daffd6ef3c7e diff --git a/yaml/ad21819d-3080-4fe2-89b1-74385031fb4d.yaml b/yaml/ad21819d-3080-4fe2-89b1-74385031fb4d.yaml index 6f562ab7b..c7c8cdef0 100644 --- a/yaml/ad21819d-3080-4fe2-89b1-74385031fb4d.yaml +++ b/yaml/ad21819d-3080-4fe2-89b1-74385031fb4d.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: ATSZIO64.sys MD5: b12d1630fd50b2a21fd91e45d522ba3a diff --git a/yaml/b03798af-d25a-400b-9236-4643a802846f.yml b/yaml/b03798af-d25a-400b-9236-4643a802846f.yml index 1d4298d1d..a903b9898 100644 --- a/yaml/b03798af-d25a-400b-9236-4643a802846f.yml +++ b/yaml/b03798af-d25a-400b-9236-4643a802846f.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: RwDrv.sys MD5: f853abe0dc162601e66e4a346faed854 diff --git a/yaml/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6.yaml b/yaml/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6.yaml index 1c50dea3d..9e6debbb9 100644 --- a/yaml/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6.yaml +++ b/yaml/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: WiseUnlo.sys MD5: 356bda2bf0f6899a2c08b2da3ec69f13 diff --git a/yaml/b72f7335-6f27-42c5-85f5-ed7eb9016eac.yaml b/yaml/b72f7335-6f27-42c5-85f5-ed7eb9016eac.yaml index 16d5eeda5..b8c1ac4a4 100644 --- a/yaml/b72f7335-6f27-42c5-85f5-ed7eb9016eac.yaml +++ b/yaml/b72f7335-6f27-42c5-85f5-ed7eb9016eac.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: AsrAutoChkUpdDrv.sys MD5: 75d6c3469347de1cdfa3b1b9f1544208 diff --git a/yaml/bb808089-5857-4df2-8998-753a7106cb44.yaml b/yaml/bb808089-5857-4df2-8998-753a7106cb44.yaml index f52785509..1b93bac0b 100644 --- a/yaml/bb808089-5857-4df2-8998-753a7106cb44.yaml +++ b/yaml/bb808089-5857-4df2-8998-753a7106cb44.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: DBUtilDrv2.sys MD5: dacb62578b3ea191ea37486d15f4f83c diff --git a/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml b/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml index 1531380b7..8b2825c4f 100644 --- a/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml +++ b/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: sandra.sys MD5: 9a237fa07ce3ed06ea924a9bed4a6b99 diff --git a/yaml/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc.yaml b/yaml/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc.yaml index c46f6e561..12492bd7d 100644 --- a/yaml/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc.yaml +++ b/yaml/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: PhlashNT.sys MD5: e9e786bdba458b8b4f9e93d034f73d00 diff --git a/yaml/bf01915d-045f-442c-a74e-25c56182123f.yaml b/yaml/bf01915d-045f-442c-a74e-25c56182123f.yaml index 12fe44569..c63784638 100644 --- a/yaml/bf01915d-045f-442c-a74e-25c56182123f.yaml +++ b/yaml/bf01915d-045f-442c-a74e-25c56182123f.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: BSMI.sys MD5: fac8eb49e2fd541b81fcbdeb98a199cb diff --git a/yaml/c3cca618-5a7f-4a51-8785-cb328fbfb0df.yaml b/yaml/c3cca618-5a7f-4a51-8785-cb328fbfb0df.yaml index 18c991b04..f2af3072d 100644 --- a/yaml/c3cca618-5a7f-4a51-8785-cb328fbfb0df.yaml +++ b/yaml/c3cca618-5a7f-4a51-8785-cb328fbfb0df.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: viraglt64.sys MD5: 43830326cd5fae66f5508e27cbec39a0 diff --git a/yaml/c98af16e-197f-4e66-bf94-14646bde32dd.yml b/yaml/c98af16e-197f-4e66-bf94-14646bde32dd.yml index c197b8f34..881767f5b 100644 --- a/yaml/c98af16e-197f-4e66-bf94-14646bde32dd.yml +++ b/yaml/c98af16e-197f-4e66-bf94-14646bde32dd.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: CupFixerx64.sys MD5: 2b3e0db4f00d4b3d0b4d178234b02e72 diff --git a/yaml/ca1e8664-841f-4e4b-9e67-3f515cc249c6.yaml b/yaml/ca1e8664-841f-4e4b-9e67-3f515cc249c6.yaml index d83396185..dcb964d8a 100644 --- a/yaml/ca1e8664-841f-4e4b-9e67-3f515cc249c6.yaml +++ b/yaml/ca1e8664-841f-4e4b-9e67-3f515cc249c6.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: ndislan.sys MD5: 47e6ac52431ca47da17248d80bf71389 diff --git a/yaml/ca415ed5-b611-4840-bfb2-6e1eacac33d1.yaml b/yaml/ca415ed5-b611-4840-bfb2-6e1eacac33d1.yaml index 247ea23c4..4b8e44c2d 100644 --- a/yaml/ca415ed5-b611-4840-bfb2-6e1eacac33d1.yaml +++ b/yaml/ca415ed5-b611-4840-bfb2-6e1eacac33d1.yaml @@ -31,6 +31,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: Monitor_win10_x64.sys MD5: 988dabdcf990b134b0ac1e00512c30c4 diff --git a/yaml/ca768fc5-9b5c-4ced-90ab-fd6be9a70199.yaml b/yaml/ca768fc5-9b5c-4ced-90ab-fd6be9a70199.yaml index 60c301ff7..6e0279d69 100644 --- a/yaml/ca768fc5-9b5c-4ced-90ab-fd6be9a70199.yaml +++ b/yaml/ca768fc5-9b5c-4ced-90ab-fd6be9a70199.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: amp.sys MD5: c533d6d64b474ffc3169a0e0fc0a701a diff --git a/yaml/cf49f43c-d7b4-4c1a-a40d-1be36ea64bff.yaml b/yaml/cf49f43c-d7b4-4c1a-a40d-1be36ea64bff.yaml index ab0d0f6ef..6e4c378f9 100644 --- a/yaml/cf49f43c-d7b4-4c1a-a40d-1be36ea64bff.yaml +++ b/yaml/cf49f43c-d7b4-4c1a-a40d-1be36ea64bff.yaml @@ -27,6 +27,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: SysDrv3S.sys MD5: 31eca8c0b32135850d5a50aee11fec87 diff --git a/yaml/cfdc5cb4-be5c-4dcc-a883-825fa72115b4.yaml b/yaml/cfdc5cb4-be5c-4dcc-a883-825fa72115b4.yaml index 3bec19af8..47157f27d 100644 --- a/yaml/cfdc5cb4-be5c-4dcc-a883-825fa72115b4.yaml +++ b/yaml/cfdc5cb4-be5c-4dcc-a883-825fa72115b4.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: PanMonFlt.sys MD5: 2850608430dd089f24386f3336c84729 diff --git a/yaml/d0048840-970f-4ad5-9a07-1d39469d721f.yaml b/yaml/d0048840-970f-4ad5-9a07-1d39469d721f.yaml index a9f2b9b2c..8e3cb64a6 100644 --- a/yaml/d0048840-970f-4ad5-9a07-1d39469d721f.yaml +++ b/yaml/d0048840-970f-4ad5-9a07-1d39469d721f.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: asmmap64.sys MD5: 4c016fd76ed5c05e84ca8cab77993961 diff --git a/yaml/d2806397-9ceb-47c8-b5f3-3aabec182ff5.yaml b/yaml/d2806397-9ceb-47c8-b5f3-3aabec182ff5.yaml index 5010b0f42..e260851e1 100644 --- a/yaml/d2806397-9ceb-47c8-b5f3-3aabec182ff5.yaml +++ b/yaml/d2806397-9ceb-47c8-b5f3-3aabec182ff5.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: NCHGBIOS2x64.SYS MD5: d9ce18960c23f38706ae9c6584d9ac90 diff --git a/yaml/d35cb48d-2aca-4d7d-a194-f4566183bcd9.yml b/yaml/d35cb48d-2aca-4d7d-a194-f4566183bcd9.yml index 7a794dd0f..ce85ed944 100644 --- a/yaml/d35cb48d-2aca-4d7d-a194-f4566183bcd9.yml +++ b/yaml/d35cb48d-2aca-4d7d-a194-f4566183bcd9.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: TmComm.sys MD5: 34686a4b10f239d781772e9e94486c1a diff --git a/yaml/d55a5955-6220-4f38-ba7d-91339330fe98.yaml b/yaml/d55a5955-6220-4f38-ba7d-91339330fe98.yaml index befdfedf1..b92f78f5a 100644 --- a/yaml/d55a5955-6220-4f38-ba7d-91339330fe98.yaml +++ b/yaml/d55a5955-6220-4f38-ba7d-91339330fe98.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: nvflash.sys MD5: 84fb76ee319073e77fb364bbbbff5461 diff --git a/yaml/d819bee2-3bff-481f-a301-acc3d1f5fe58.yaml b/yaml/d819bee2-3bff-481f-a301-acc3d1f5fe58.yaml index 761adb0e0..abf377738 100644 --- a/yaml/d819bee2-3bff-481f-a301-acc3d1f5fe58.yaml +++ b/yaml/d819bee2-3bff-481f-a301-acc3d1f5fe58.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: Se64a.sys MD5: 0a6a1c9a7f80a2a5dcced5c4c0473765 diff --git a/yaml/d9e00cc7-a8f4-4390-a6dc-0f5423e97da4.yaml b/yaml/d9e00cc7-a8f4-4390-a6dc-0f5423e97da4.yaml index 135835834..8b9ed9c85 100644 --- a/yaml/d9e00cc7-a8f4-4390-a6dc-0f5423e97da4.yaml +++ b/yaml/d9e00cc7-a8f4-4390-a6dc-0f5423e97da4.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: mydrivers.sys MD5: 507a649eb585d8d0447eab0532ef0c73 diff --git a/yaml/d9f2c3d6-160c-4eb3-8547-894fcf810342.yaml b/yaml/d9f2c3d6-160c-4eb3-8547-894fcf810342.yaml index 3e1e7999f..a0fa35923 100644 --- a/yaml/d9f2c3d6-160c-4eb3-8547-894fcf810342.yaml +++ b/yaml/d9f2c3d6-160c-4eb3-8547-894fcf810342.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: driver7-x86-withoutdbg.sys MD5: 4f191abc652d8f7442ca2636725e1ed6 diff --git a/yaml/da7314dc-6cf1-4d74-a0d1-796fc08944f8.yaml b/yaml/da7314dc-6cf1-4d74-a0d1-796fc08944f8.yaml index 7ed1fd882..9bd4768a0 100644 --- a/yaml/da7314dc-6cf1-4d74-a0d1-796fc08944f8.yaml +++ b/yaml/da7314dc-6cf1-4d74-a0d1-796fc08944f8.yaml @@ -64,6 +64,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: windbg.sys MD5: 40f35792e7565aa047796758a3ce1b77 diff --git a/yaml/de003542-80e1-4aa0-9b99-ed8647a93a6e.yaml b/yaml/de003542-80e1-4aa0-9b99-ed8647a93a6e.yaml index b014f7326..99f836e95 100644 --- a/yaml/de003542-80e1-4aa0-9b99-ed8647a93a6e.yaml +++ b/yaml/de003542-80e1-4aa0-9b99-ed8647a93a6e.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: cpuz_x64.sys MD5: 7d46d0ddaf8c7e1776a70c220bf47524 diff --git a/yaml/de365e80-45cb-48fb-af6e-0a96a5ad7777.yaml b/yaml/de365e80-45cb-48fb-af6e-0a96a5ad7777.yaml index f954f0f28..98ec5e284 100644 --- a/yaml/de365e80-45cb-48fb-af6e-0a96a5ad7777.yaml +++ b/yaml/de365e80-45cb-48fb-af6e-0a96a5ad7777.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: '' MD5: 3f8cdaf7413000d34d6a1a1d5341a11b diff --git a/yaml/de4dd27a-1f7e-4271-98a4-55395ab6aabf.yaml b/yaml/de4dd27a-1f7e-4271-98a4-55395ab6aabf.yaml index 156863bb5..9375f3ecf 100644 --- a/yaml/de4dd27a-1f7e-4271-98a4-55395ab6aabf.yaml +++ b/yaml/de4dd27a-1f7e-4271-98a4-55395ab6aabf.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: BS_I2c64.sys MD5: 83601bbe5563d92c1fdb4e960d84dc77 diff --git a/yaml/dfce8b0f-d857-4808-80ef-61273c7a4183.yaml b/yaml/dfce8b0f-d857-4808-80ef-61273c7a4183.yaml index 9f81d22ad..3b14761b5 100644 --- a/yaml/dfce8b0f-d857-4808-80ef-61273c7a4183.yaml +++ b/yaml/dfce8b0f-d857-4808-80ef-61273c7a4183.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: Dh_Kernel_10.sys MD5: 51207adb8dab983332d6b22c29fe8129 diff --git a/yaml/e4098d7e-78b3-4da1-96cb-68b27f245e02.yaml b/yaml/e4098d7e-78b3-4da1-96cb-68b27f245e02.yaml index a2a0146d8..8add6d9a6 100644 --- a/yaml/e4098d7e-78b3-4da1-96cb-68b27f245e02.yaml +++ b/yaml/e4098d7e-78b3-4da1-96cb-68b27f245e02.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: HwOs2Ec7x64.sys MD5: bae1f127c4ff21d8fe45e2bbfc59c180 diff --git a/yaml/e42cd285-4dda-4086-a696-93ab1d6f17ca.yaml b/yaml/e42cd285-4dda-4086-a696-93ab1d6f17ca.yaml index ebc39267c..7327eb92c 100644 --- a/yaml/e42cd285-4dda-4086-a696-93ab1d6f17ca.yaml +++ b/yaml/e42cd285-4dda-4086-a696-93ab1d6f17ca.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: HOSTNT.sys MD5: e8ebba56ea799e1e62748c59e1a4c586 diff --git a/yaml/e4609b54-cb25-4433-a75a-7a17f43cec00.yaml b/yaml/e4609b54-cb25-4433-a75a-7a17f43cec00.yaml index 6cc4241c7..780998c44 100644 --- a/yaml/e4609b54-cb25-4433-a75a-7a17f43cec00.yaml +++ b/yaml/e4609b54-cb25-4433-a75a-7a17f43cec00.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: HwRwDrv.sys MD5: dbc415304403be25ac83047c170b0ec2 diff --git a/yaml/e5f12b82-8d07-474e-9587-8c7b3714d60c.yml b/yaml/e5f12b82-8d07-474e-9587-8c7b3714d60c.yml index bff7f2ad9..934a9f416 100644 --- a/yaml/e5f12b82-8d07-474e-9587-8c7b3714d60c.yml +++ b/yaml/e5f12b82-8d07-474e-9587-8c7b3714d60c.yml @@ -22,7 +22,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: zam64.sys MD5: 2a3ce41bb2a7894d939fbd1b20dae5a0 diff --git a/yaml/e7c958da-fd5d-40d6-975e-582c6fee7f69.yaml b/yaml/e7c958da-fd5d-40d6-975e-582c6fee7f69.yaml index 68914f149..12e74cf2b 100644 --- a/yaml/e7c958da-fd5d-40d6-975e-582c6fee7f69.yaml +++ b/yaml/e7c958da-fd5d-40d6-975e-582c6fee7f69.yaml @@ -30,6 +30,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: BS_RCIO64.sys MD5: b10b210c5944965d0dc85e70a0b19a42 diff --git a/yaml/eb07ef7e-0402-48eb-8e06-8fb76eda5b84.yml b/yaml/eb07ef7e-0402-48eb-8e06-8fb76eda5b84.yml index f658e94fb..b060bd9b4 100644 --- a/yaml/eb07ef7e-0402-48eb-8e06-8fb76eda5b84.yml +++ b/yaml/eb07ef7e-0402-48eb-8e06-8fb76eda5b84.yml @@ -27,6 +27,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: LHA.sys MD5: 1d768959aaa194d60e4524ce47708377 diff --git a/yaml/edd29861-6984-4dbe-8e7c-22e9b6cf68d0.yaml b/yaml/edd29861-6984-4dbe-8e7c-22e9b6cf68d0.yaml index adfa6aa62..ba2bfc4c2 100644 --- a/yaml/edd29861-6984-4dbe-8e7c-22e9b6cf68d0.yaml +++ b/yaml/edd29861-6984-4dbe-8e7c-22e9b6cf68d0.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: krpocesshacker.sys MD5: bbbc9a6cc488cfb0f6c6934b193891eb diff --git a/yaml/eef1fcf4-8c54-420b-8d38-9c5f95129dcc.yaml b/yaml/eef1fcf4-8c54-420b-8d38-9c5f95129dcc.yaml index bd0dd8caa..ddf18b4e4 100644 --- a/yaml/eef1fcf4-8c54-420b-8d38-9c5f95129dcc.yaml +++ b/yaml/eef1fcf4-8c54-420b-8d38-9c5f95129dcc.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: ntbios.sys MD5: 14580bd59c55185115fd3abe73b016a2 diff --git a/yaml/f4126206-564f-49f5-a942-2138a3131e0e.yml b/yaml/f4126206-564f-49f5-a942-2138a3131e0e.yml index 34ab3905d..0c7e9970b 100644 --- a/yaml/f4126206-564f-49f5-a942-2138a3131e0e.yml +++ b/yaml/f4126206-564f-49f5-a942-2138a3131e0e.yml @@ -16,7 +16,17 @@ Resources: Acknowledgement: Person: [] Handle: '' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: NICM.SYS MD5: 52b7cd123f6d1b9ed76b08f2ee7d9433 diff --git a/yaml/f4990bdd-8821-4a3c-a11a-4651e645810c.yaml b/yaml/f4990bdd-8821-4a3c-a11a-4651e645810c.yaml index fe98dc1ba..4feac3ef4 100644 --- a/yaml/f4990bdd-8821-4a3c-a11a-4651e645810c.yaml +++ b/yaml/f4990bdd-8821-4a3c-a11a-4651e645810c.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: IOMap64.sys MD5: a01c412699b6f21645b2885c2bae4454 diff --git a/yaml/f4c22f4d-eff8-40c5-8b31-146abe5f17b7.yaml b/yaml/f4c22f4d-eff8-40c5-8b31-146abe5f17b7.yaml index 6d2e0996a..15f5c08a3 100644 --- a/yaml/f4c22f4d-eff8-40c5-8b31-146abe5f17b7.yaml +++ b/yaml/f4c22f4d-eff8-40c5-8b31-146abe5f17b7.yaml @@ -30,6 +30,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: physmem.sys SHA1: 589a7d4df869395601ba7538a65afae8c4616385 diff --git a/yaml/f654ad84-c61d-477c-a0b2-d153b927dfcc.yaml b/yaml/f654ad84-c61d-477c-a0b2-d153b927dfcc.yaml index ab59aa1b8..5d57a8103 100644 --- a/yaml/f654ad84-c61d-477c-a0b2-d153b927dfcc.yaml +++ b/yaml/f654ad84-c61d-477c-a0b2-d153b927dfcc.yaml @@ -29,6 +29,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: EIO.sys MD5: be9eeea2a8cac5f6cd92c97f234e2fe1 diff --git a/yaml/fab98aaa-e4e7-4c4a-af65-c00d35cf66e9.yaml b/yaml/fab98aaa-e4e7-4c4a-af65-c00d35cf66e9.yaml index f6f76cd04..ef996379e 100644 --- a/yaml/fab98aaa-e4e7-4c4a-af65-c00d35cf66e9.yaml +++ b/yaml/fab98aaa-e4e7-4c4a-af65-c00d35cf66e9.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: cpuz141.sys MD5: db72def618cbc3c5f9aa82f091b54250 diff --git a/yaml/fbdd993b-47b1-4448-8c41-24c310802398.yaml b/yaml/fbdd993b-47b1-4448-8c41-24c310802398.yaml index 567e01f27..45a6cf459 100644 --- a/yaml/fbdd993b-47b1-4448-8c41-24c310802398.yaml +++ b/yaml/fbdd993b-47b1-4448-8c41-24c310802398.yaml @@ -35,6 +35,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: rwdrv.sys MD5: 257483d5d8b268d0d679956c7acdf02d diff --git a/yaml/fdf4f85b-47f4-4c98-a0d5-a6583463f565.yaml b/yaml/fdf4f85b-47f4-4c98-a0d5-a6583463f565.yaml index a2fdb1b23..ba10a4cab 100644 --- a/yaml/fdf4f85b-47f4-4c98-a0d5-a6583463f565.yaml +++ b/yaml/fdf4f85b-47f4-4c98-a0d5-a6583463f565.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: vmdrv.sys MD5: d5db81974ffda566fa821400419f59be diff --git a/yaml/fe2f68e1-e459-4802-9a9a-23bb3c2fd331.yaml b/yaml/fe2f68e1-e459-4802-9a9a-23bb3c2fd331.yaml index 808c6c424..c46cbfb7a 100644 --- a/yaml/fe2f68e1-e459-4802-9a9a-23bb3c2fd331.yaml +++ b/yaml/fe2f68e1-e459-4802-9a9a-23bb3c2fd331.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: kEvP64.sys MD5: 20125794b807116617d43f02b616e092 diff --git a/yaml/ff74f03e-e4ce-4242-bfe3-60601056bb34.yaml b/yaml/ff74f03e-e4ce-4242-bfe3-60601056bb34.yaml index fc3af8ef9..5f455d52d 100644 --- a/yaml/ff74f03e-e4ce-4242-bfe3-60601056bb34.yaml +++ b/yaml/ff74f03e-e4ce-4242-bfe3-60601056bb34.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml KnownVulnerableSamples: - Filename: CorsairLLAccess64.sys MD5: 803a371a78d528a44ef8777f67443b16 From b3d873f87b4738b2828d77730db2890aa1543583 Mon Sep 17 00:00:00 2001 From: josehelps Date: Mon, 31 Jul 2023 10:50:56 -0400 Subject: [PATCH 2/2] updating yara --- detections/yara/yara-rules_mal_drivers.yar | 394 +- .../yara/yara-rules_mal_drivers_strict.yar | 394 +- detections/yara/yara-rules_vuln_drivers.yar | 3596 +++++++++++++--- .../yara/yara-rules_vuln_drivers_strict.yar | 3602 +++++++++++++--- ...yara-rules_vuln_drivers_strict_renamed.yar | 3668 ++++++++++++++--- .../0258df5c-c3c1-4ed5-ba8f-846d91526ffe.yaml | 10 + .../02e4a30f-8aa8-4ff0-8e02-1bff1d0f088f.yaml | 10 + .../04d377f9-36e0-42a4-8d47-62232163dc68.yaml | 10 + .../080a834f-3e19-4cae-b940-a4ecf901db28.yaml | 10 + .../080ff223-f8e0-49c0-a7b5-e97349cf81a0.yaml | 10 + .../0baa833c-e4e1-449e-86ee-cafeb11f5fd5.yaml | 10 + .../0e3b0052-18c7-4c8b-a064-a1332df07af2.yaml | 10 + .../0f59ce3b-20ac-41ba-8010-2abc74827eb8.yaml | 10 + .../0f8e317e-ad2b-4b02-9f96-603bb8d28604.yaml | 10 + .../127cde1d-905e-4c67-a2c3-04ea4deaea7d.yaml | 10 + .../137daca4-0d7b-48aa-8574-f7eb6ad02526.yaml | 10 + .../17cf4fac-88f1-467d-9f62-481d33accc5b.yaml | 10 + .../19003e00-d42d-4cbe-91f3-756451bdd7da.yaml | 12 +- .../19d16518-4aee-4983-ba89-dbbe0fa8a3e7.yaml | 10 + .../1aeb1205-8b02-42b6-a563-b953ea337c19.yaml | 10 + .../1c6e1d3b-f825-4065-9e0c-83386883e40f.yaml | 10 + .../1c7631f0-f92f-4be5-8ba7-3eefb0601d45.yaml | 10 + .../1d2cdef1-de44-4849-80e5-e2fa288df681.yaml | 10 + .../20076ebf-4427-4056-b035-5238f95debe9.yaml | 10 + .../205721b7-b83b-414a-b4b5-8bacb4a37777.yaml | 10 + .../213676bb-ffb9-4d0d-a442-8cefee63acc1.yaml | 10 + .../2225128d-a23f-434a-aaee-69a88ea64fbd.yaml | 10 + .../22aa985b-5fdb-4e38-9382-a496220c27ec.yaml | 10 + .../23f11e19-0776-4dd4-9c9c-7f6b60f8553f.yaml | 10 + .../24fb7bab-b8c3-46ea-a370-c84d2f0ff614.yaml | 10 + .../2b949a0d-939f-456a-a34f-4589d7712227.yaml | 10 + .../2bea1bca-753c-4f09-bc9f-566ab0193f4a.yaml | 10 + .../2c3884d3-9e4f-4519-b18b-0969612621bc.yaml | 12 +- .../2e4fedb0-30ed-400d-b4e1-b2b2004c1607.yaml | 10 + .../31686f0e-3748-48c2-be09-fc8f3252e780.yaml | 10 + .../31797996-6973-402d-a4a0-d01ce51e02c0.yaml | 10 + .../3277cecc-f4b4-4a00-be01-9da83e013bcd.yaml | 10 + .../32ccd436-eb13-4ab3-83d4-3e5471f4e364.yaml | 10 + .../33a9c9ae-5ca3-442d-9f0f-2615637c1c57.yaml | 10 + .../351ff5ca-f07b-4eb6-9300-d5d31514defb.yaml | 10 + .../39742f99-2180-46d7-8538-56667c935cc3.yaml | 10 + .../3ab0d182-6365-47a7-89f4-34121e889503.yaml | 10 + .../3ac0eda2-a844-4a9d-9cfa-c25a9e05d678.yaml | 10 + .../3bc629e8-7bf8-40c2-965b-87eb155e0065.yaml | 10 + .../3e0bf6dc-791b-4170-8c40-427e7299d93d.yaml | 10 + .../3f39af20-802a-4909-a5de-7f6fe7aab350.yaml | 10 + .../40bfb01b-d251-4c2c-952e-052a89a76f5b.yaml | 10 + .../43d0af25-c066-471f-bb73-6ce25dc7e0eb.yaml | 10 + .../47724cc1-bf75-4ab7-a47a-355a9aa30de1.yaml | 10 + .../47a351ee-8abe-40d8-bc2b-557390fa0945.yaml | 10 + .../47fe1aaf-02cd-4a41-8bf5-0047015a2a6e.yaml | 10 + .../48bc2815-85ec-4436-a51a-69810c8cb171.yaml | 10 + .../4a80da66-f8f1-4af9-ba56-696cfe6c1e10.yaml | 10 + .../4d365dd0-34c3-492e-a2bd-c16266796ae5.yaml | 10 + .../4db827b1-325b-444d-9f23-171285a4d12f.yaml | 10 + .../51c342f3-0b91-4674-8f81-bc016855f30f.yaml | 10 + .../54d67d79-0268-4c5f-be7e-0f74cd20828a.yaml | 10 + .../57f63efb-dc43-4dba-9413-173e3e4be750.yaml | 10 + .../57fc510a-e649-4599-b83e-8f3605e3d1d9.yaml | 10 + .../5943b267-64f3-40d4-8669-354f23dec122.yaml | 10 + .../5961e133-ccc3-4530-8f4f-5d975c41028d.yaml | 10 + .../5969b6dc-b136-480e-a527-3cb2ea2f0da9.yaml | 10 + .../5a03dc5a-115d-4d6f-b5b5-685f4c014a69.yaml | 10 + .../5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c.yaml | 10 + .../5af9abf0-d8de-4e9b-8141-e9e97a31901a.yaml | 10 + .../5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae.yaml | 10 + .../61514cbd-6f34-4a3e-a022-9ecbccc16feb.yaml | 10 + .../670dc258-78b5-4552-a16b-b41917c86f8d.yaml | 10 + .../6a50e368-1120-434b-9232-1a0702c80437.yaml | 10 + .../6c0c60f0-895d-428a-a8ae-e10390bceb12.yaml | 10 + .../6d21df78-d718-44df-b722-99eec654f5b2.yaml | 10 + .../6fc3034f-8b40-44ef-807a-f61d3ea2dece.yaml | 10 + .../705facba-b595-41dd-86a6-93aefe6a6234.yaml | 10 + .../70acea34-7ed2-42d5-885c-eca3c2de640c.yaml | 10 + .../70fa8606-c147-4c40-8b7a-980290075327.yaml | 10 + .../72637cb1-5ca2-4ad0-a5df-20da17b231b5.yaml | 10 + .../73290fcb-a0d7-481e-81a5-65a9859b50f5.yaml | 10 + .../76b5dfae-b384-45ce-8646-b2eec6b76a1e.yaml | 10 + .../7bb5ff05-25f8-410d-ae99-c8e8f082d24f.yaml | 10 + .../7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml | 10 + .../7f645b95-4374-47ae-be1a-e4415308b550.yaml | 10 + .../81a73e57-2e92-4d21-97d3-1c21eb4c3aea.yaml | 10 + .../855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml | 10 + .../86cff0de-2536-4b8d-a846-a7312c569597.yaml | 10 + .../87752fb8-e9f6-4235-91e2-c4343677d817.yaml | 10 + .../892292f9-b87c-40a5-80e5-8c9b02914e8b.yaml | 10 + .../8ff4ab50-05b7-4bfa-b994-1920c4ed4978.yaml | 10 + .../91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f.yaml | 10 + .../93740202-930c-4ab4-8603-8ec9532c5415.yaml | 12 +- .../93c84c08-4683-493d-abf7-22dc2d1cb567.yaml | 10 + .../97fa88f6-3819-4d56-a82c-52a492a9e2b5.yaml | 10 + .../998ed67c-9c20-46ef-a6ba-abc606b540b9.yaml | 10 + .../999a11ae-ec2b-4863-baa4-1384ec2b7339.yaml | 10 + .../9a4fb66e-9084-4b21-9d76-a7afbe330606.yaml | 10 + .../9c3c6e89-3916-498f-81e5-da057ab3ed42.yaml | 10 + .../9ca73d04-3349-4c16-9384-94c43335a031.yaml | 10 + .../9e87b6b0-00ed-4259-bcd7-05e2c924d58c.yaml | 10 + .../a22104a8-126d-449f-ba3e-28678c60c587.yaml | 10 + .../a261cd64-0d04-4bf5-ad73-f3bb96bf83cf.yaml | 10 + .../a285591e-ad3c-46a3-a648-c58589ff5efc.yaml | 10 + .../a33de377-d2c2-4c71-98ca-cd0be8d284f9.yaml | 10 + .../a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f.yaml | 10 + .../a5ebba11-5a31-48d2-9c6d-78bba397edf1.yaml | 10 + .../a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0.yaml | 10 + .../a7775cbe-624b-4b04-b74f-969f77c2ac02.yaml | 10 + .../a7bba474-815f-49be-bddc-4d76a64c866c.yaml | 10 + .../a845a05c-5357-4b78-9783-16b4d34b2cb0.yaml | 10 + .../a8e999ee-746f-4788-9102-c1d3d2914f56.yaml | 12 +- .../aa687f89-4f3b-4b59-b64e-fee5e2ae2310.yaml | 10 + .../ad21819d-3080-4fe2-89b1-74385031fb4d.yaml | 10 + .../b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6.yaml | 10 + .../b72f7335-6f27-42c5-85f5-ed7eb9016eac.yaml | 10 + .../babe348d-f160-41ec-9db9-2413b989c1f0.yaml | 10 + .../bb808089-5857-4df2-8998-753a7106cb44.yaml | 10 + .../bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml | 14 +- .../be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc.yaml | 10 + .../bf01915d-045f-442c-a74e-25c56182123f.yaml | 10 + .../c3cca618-5a7f-4a51-8785-cb328fbfb0df.yaml | 10 + .../ca1e8664-841f-4e4b-9e67-3f515cc249c6.yaml | 10 + .../ca415ed5-b611-4840-bfb2-6e1eacac33d1.yaml | 10 + .../ca768fc5-9b5c-4ced-90ab-fd6be9a70199.yaml | 10 + .../cf49f43c-d7b4-4c1a-a40d-1be36ea64bff.yaml | 10 + .../cfdc5cb4-be5c-4dcc-a883-825fa72115b4.yaml | 10 + .../d0048840-970f-4ad5-9a07-1d39469d721f.yaml | 10 + .../d2806397-9ceb-47c8-b5f3-3aabec182ff5.yaml | 10 + .../d819bee2-3bff-481f-a301-acc3d1f5fe58.yaml | 10 + .../d9e00cc7-a8f4-4390-a6dc-0f5423e97da4.yaml | 10 + .../d9f2c3d6-160c-4eb3-8547-894fcf810342.yaml | 10 + .../de003542-80e1-4aa0-9b99-ed8647a93a6e.yaml | 10 + .../de365e80-45cb-48fb-af6e-0a96a5ad7777.yaml | 10 + .../de4dd27a-1f7e-4271-98a4-55395ab6aabf.yaml | 10 + .../dfce8b0f-d857-4808-80ef-61273c7a4183.yaml | 10 + .../e368efc7-cf69-47ae-8204-f69dac000b22.yaml | 10 + .../e4098d7e-78b3-4da1-96cb-68b27f245e02.yaml | 10 + .../e42cd285-4dda-4086-a696-93ab1d6f17ca.yaml | 10 + .../e4609b54-cb25-4433-a75a-7a17f43cec00.yaml | 10 + .../e7c958da-fd5d-40d6-975e-582c6fee7f69.yaml | 10 + .../ecabc507-2cc7-4011-89ab-7d9d659e6f88.yaml | 10 + .../edd29861-6984-4dbe-8e7c-22e9b6cf68d0.yaml | 10 + .../eef1fcf4-8c54-420b-8d38-9c5f95129dcc.yaml | 10 + .../f22e7230-5f32-4c4e-bc9d-9076ebf10baa.yaml | 10 + .../f4990bdd-8821-4a3c-a11a-4651e645810c.yaml | 10 + .../f4c22f4d-eff8-40c5-8b31-146abe5f17b7.yaml | 10 + .../f654ad84-c61d-477c-a0b2-d153b927dfcc.yaml | 10 + .../fab98aaa-e4e7-4c4a-af65-c00d35cf66e9.yaml | 10 + .../fbdd993b-47b1-4448-8c41-24c310802398.yaml | 10 + .../fdf4f85b-47f4-4c98-a0d5-a6583463f565.yaml | 10 + .../fe2f68e1-e459-4802-9a9a-23bb3c2fd331.yaml | 10 + .../ff74f03e-e4ce-4242-bfe3-60601056bb34.yaml | 10 + 149 files changed, 11238 insertions(+), 1868 deletions(-) diff --git a/detections/yara/yara-rules_mal_drivers.yar b/detections/yara/yara-rules_mal_drivers.yar index 6217db182..e3eb325c7 100644 --- a/detections/yara/yara-rules_mal_drivers.yar +++ b/detections/yara/yara-rules_mal_drivers.yar @@ -1,4 +1,182 @@ +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_AAFA { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9" + hash = "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe" + hash = "008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25" + hash = "b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09" + hash = "beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b" + hash = "8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b" + hash = "60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9" + hash = "e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15" + hash = "d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff" + hash = "d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be" + hash = "40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a" + hash = "fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2" + hash = "ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd" + hash = "6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b" + hash = "e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19" + hash = "2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878" + hash = "82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2" + hash = "21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a" + hash = "443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85" + hash = "02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715" + hash = "a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec" + hash = "7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d" + hash = "c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_0740 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39" + hash = "4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7" + hash = "818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab" + hash = "af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895" + hash = "e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8" + hash = "469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870" + hash = "2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2" + hash = "9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7" + hash = "62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920" + hash = "3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6" + hash = "897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736" + hash = "0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3" + hash = "29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe" + hash = "ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a" + hash = "bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310036002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_3CA5 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1" + hash = "1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524" + hash = "cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37" + hash = "80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3" + hash = "e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f" + hash = "4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919" + hash = "4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905" + hash = "d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f" + hash = "569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa" + hash = "aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e" + hash = "ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55" + hash = "7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db" + hash = "082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a" + hash = "4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de" + hash = "492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263" + hash = "19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987" + hash = "ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a" + hash = "a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778" + hash = "f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1" + hash = "93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe" + hash = "85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2" + hash = "0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06" + hash = "95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167" + hash = "d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c" + hash = "f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5" + hash = "2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4" + hash = "ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0" + hash = "efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576" + hash = "bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908" + hash = "10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b" + hash = "c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da" + hash = "12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0" + hash = "083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254" + hash = "b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719" + hash = "793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875" + hash = "d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96" + hash = "94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601" + hash = "e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59" + hash = "4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f" + hash = "a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000320030002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_07BE { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af" + hash = "41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f" + hash = "a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7" + hash = "9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac" + hash = "1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80" + hash = "8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434" + hash = "704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4" + hash = "9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392" + hash = "4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021" + hash = "26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55" + hash = "b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c" + hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" + hash = "c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c" + hash = "f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad" + hash = "406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9" + hash = "31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_E6F7 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - windbg.sys" @@ -21,7 +199,7 @@ rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_E hash = "6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77" hash = "fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5" hash = "770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004700550049002000730079006d0062006f006c00690063002000640065006200750067006700650072 } /* FileDescription WindowsGUIsymbolicdebugger */ @@ -37,6 +215,116 @@ rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_E } +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_26BE { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47" + hash = "4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be" + hash = "5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968" + hash = "64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96" + hash = "0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550" + hash = "b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a" + hash = "1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6" + hash = "c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c" + hash = "51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93" + hash = "618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb" + hash = "62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266" + hash = "c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231" + hash = "14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925" + hash = "673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653" + hash = "15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c" + hash = "c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc" + hash = "52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd" + hash = "82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7" + hash = "f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac" + hash = "b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4" + hash = "8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38" + hash = "a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852" + hash = "36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475" + hash = "d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad" + hash = "822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb" + hash = "6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7" + hash = "a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972" + hash = "4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b" + hash = "c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12" + hash = "69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f" + hash = "a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_06DD { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8" + hash = "bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd" + hash = "0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35" + hash = "627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa" + hash = "dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1" + hash = "07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0" + hash = "94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112" + hash = "baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3" + hash = "eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a" + hash = "b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03" + hash = "087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212" + hash = "a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66" + hash = "4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1" + hash = "0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310034002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_30E0 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2" + hash = "a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310033002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_8D9A { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_4.sys" @@ -46,7 +334,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_8D hash = "e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e" hash = "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4" hash = "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -62,6 +350,30 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_8D } +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_28F5 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553" + hash = "2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21" + hash = "7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsystem_96BF { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ntbios.sys" @@ -69,7 +381,7 @@ rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsyste reference = "https://github.com/magicsword-io/LOLDrivers" hash = "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc" hash = "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006e007400620069006f00730020006400720069007600650072 } /* FileDescription ntbiosdriver */ @@ -91,7 +403,7 @@ rule MAL_Driver_Legalcorp_Pciexpressvideocapture_FD22 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005000430049006500200056006900640065006f00200043006100700074007500720065 } /* FileDescription PCIeVideoCapture */ @@ -112,7 +424,7 @@ rule MAL_Driver_Microsoftcorporation_Ndislansys_Microsoftwindowsoperatingsystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d00530020004c0041004e0020004400720069007600650072 } /* FileDescription MSLANDriver */ @@ -134,7 +446,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_81 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -156,7 +468,7 @@ rule MAL_Driver_Sensecorp_7F45 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ @@ -176,7 +488,7 @@ rule MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e" hash = "8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004b00650072006e0065006c00200045007800650063007500740069007600650020004d006f00640075006c0065 } /* FileDescription WindowsKernelExecutiveModule */ @@ -198,7 +510,7 @@ rule MAL_Driver_Sensecorp_42B2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ @@ -211,13 +523,32 @@ rule MAL_Driver_Sensecorp_42B2 { } +rule MAL_Driver_Mimidrv_Mimidrvmimikatz_2FAF { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8" + date = "2023-07-31" + score = 70 + strings: + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + all of them +} + + rule MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperatingsystem_F6C3 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinTapix.sys, SRVNET2.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053006500720076006500720020004e006500740077006f0072006b0020006400720069007600650072 } /* FileDescription ServerNetworkdriver */ @@ -233,35 +564,13 @@ rule MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperatingsystem_F } -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_200F { - meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ - condition: - all of them -} - - rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_6908 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -283,7 +592,7 @@ rule MAL_Driver_Gmer_Gmersys_Gmer_18C9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004d00450052002000440072006900760065007200200068007400740070003a002f002f007700770077002e0067006d00650072002e006e00650074 } /* FileDescription GMERDriverhttpwwwgmernet */ @@ -297,3 +606,20 @@ rule MAL_Driver_Gmer_Gmersys_Gmer_18C9 { condition: all of them } + + +rule MAL_Driver_773B { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d002000320030003100370020 } /* LegalCopyright Copyrightc */ + condition: + all of them +} diff --git a/detections/yara/yara-rules_mal_drivers_strict.yar b/detections/yara/yara-rules_mal_drivers_strict.yar index 1d4c5ee35..5839a882c 100644 --- a/detections/yara/yara-rules_mal_drivers_strict.yar +++ b/detections/yara/yara-rules_mal_drivers_strict.yar @@ -1,4 +1,182 @@ +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_AAFA { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9" + hash = "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe" + hash = "008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25" + hash = "b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09" + hash = "beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b" + hash = "8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b" + hash = "60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9" + hash = "e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15" + hash = "d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff" + hash = "d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be" + hash = "40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a" + hash = "fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2" + hash = "ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd" + hash = "6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b" + hash = "e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19" + hash = "2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878" + hash = "82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2" + hash = "21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a" + hash = "443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85" + hash = "02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715" + hash = "a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec" + hash = "7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d" + hash = "c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_0740 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39" + hash = "4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7" + hash = "818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab" + hash = "af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895" + hash = "e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8" + hash = "469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870" + hash = "2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2" + hash = "9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7" + hash = "62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920" + hash = "3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6" + hash = "897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736" + hash = "0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3" + hash = "29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe" + hash = "ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a" + hash = "bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310036002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_3CA5 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1" + hash = "1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524" + hash = "cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37" + hash = "80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3" + hash = "e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f" + hash = "4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919" + hash = "4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905" + hash = "d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f" + hash = "569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa" + hash = "aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e" + hash = "ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55" + hash = "7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db" + hash = "082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a" + hash = "4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de" + hash = "492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263" + hash = "19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987" + hash = "ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a" + hash = "a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778" + hash = "f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1" + hash = "93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe" + hash = "85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2" + hash = "0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06" + hash = "95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167" + hash = "d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c" + hash = "f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5" + hash = "2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4" + hash = "ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0" + hash = "efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576" + hash = "bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908" + hash = "10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b" + hash = "c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da" + hash = "12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0" + hash = "083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254" + hash = "b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719" + hash = "793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875" + hash = "d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96" + hash = "94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601" + hash = "e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59" + hash = "4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f" + hash = "a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000320030002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_07BE { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af" + hash = "41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f" + hash = "a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7" + hash = "9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac" + hash = "1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80" + hash = "8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434" + hash = "704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4" + hash = "9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392" + hash = "4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021" + hash = "26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55" + hash = "b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c" + hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" + hash = "c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c" + hash = "f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad" + hash = "406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9" + hash = "31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_E6F7 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - windbg.sys" @@ -21,7 +199,7 @@ rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_E hash = "6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77" hash = "fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5" hash = "770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004700550049002000730079006d0062006f006c00690063002000640065006200750067006700650072 } /* FileDescription WindowsGUIsymbolicdebugger */ @@ -37,6 +215,116 @@ rule MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperatingsystem_E } +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_26BE { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47" + hash = "4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be" + hash = "5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968" + hash = "64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96" + hash = "0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550" + hash = "b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a" + hash = "1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6" + hash = "c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c" + hash = "51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93" + hash = "618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb" + hash = "62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266" + hash = "c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231" + hash = "14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925" + hash = "673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653" + hash = "15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c" + hash = "c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc" + hash = "52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd" + hash = "82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7" + hash = "f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac" + hash = "b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4" + hash = "8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38" + hash = "a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852" + hash = "36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475" + hash = "d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad" + hash = "822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb" + hash = "6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7" + hash = "a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972" + hash = "4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b" + hash = "c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12" + hash = "69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f" + hash = "a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_06DD { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8" + hash = "bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd" + hash = "0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35" + hash = "627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa" + hash = "dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1" + hash = "07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0" + hash = "94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112" + hash = "baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3" + hash = "eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a" + hash = "b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03" + hash = "087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212" + hash = "a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66" + hash = "4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1" + hash = "0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310034002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_30E0 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2" + hash = "a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310033002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_8D9A { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_4.sys" @@ -46,7 +334,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_8D hash = "e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e" hash = "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4" hash = "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -62,6 +350,30 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_8D } +rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_28F5 { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553" + hash = "2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21" + hash = "7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsystem_96BF { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ntbios.sys" @@ -69,7 +381,7 @@ rule MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntoperatingsyste reference = "https://github.com/magicsword-io/LOLDrivers" hash = "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc" hash = "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006e007400620069006f00730020006400720069007600650072 } /* FileDescription ntbiosdriver */ @@ -91,7 +403,7 @@ rule MAL_Driver_Legalcorp_Pciexpressvideocapture_FD22 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005000430049006500200056006900640065006f00200043006100700074007500720065 } /* FileDescription PCIeVideoCapture */ @@ -112,7 +424,7 @@ rule MAL_Driver_Microsoftcorporation_Ndislansys_Microsoftwindowsoperatingsystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d00530020004c0041004e0020004400720069007600650072 } /* FileDescription MSLANDriver */ @@ -134,7 +446,7 @@ rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_81 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -156,7 +468,7 @@ rule MAL_Driver_Sensecorp_7F45 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ @@ -176,7 +488,7 @@ rule MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoperatingsystem reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e" hash = "8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e0064006f007700730020004b00650072006e0065006c00200045007800650063007500740069007600650020004d006f00640075006c0065 } /* FileDescription WindowsKernelExecutiveModule */ @@ -198,7 +510,7 @@ rule MAL_Driver_Sensecorp_42B2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530065006e0073006500350020004400720069007600650072 } /* FileDescription SenseDriver */ @@ -211,13 +523,32 @@ rule MAL_Driver_Sensecorp_42B2 { } +rule MAL_Driver_Mimidrv_Mimidrvmimikatz_2FAF { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8" + date = "2023-07-31" + score = 85 + strings: + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310035002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperatingsystem_F6C3 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinTapix.sys, SRVNET2.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053006500720076006500720020004e006500740077006f0072006b0020006400720069007600650072 } /* FileDescription ServerNetworkdriver */ @@ -233,35 +564,13 @@ rule MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperatingsystem_F } -rule MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_200F { - meta: - description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a" - date = "2023-07-14" - score = 85 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006d0069006d006900640072007600200066006f0072002000570069006e0064006f0077007300200028006d0069006d0069006b00610074007a0029 } /* FileDescription mimidrvforWindowsmimikatz */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* CompanyName gentilkiwiBenjaminDELPY */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0069006d0069006400720076 } /* InternalName mimidrv */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]006d0069006d006900640072007600200028006d0069006d0069006b00610074007a0029 } /* ProductName mimidrvmimikatz */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0069006d0069006400720076002e007300790073 } /* OriginalFilename mimidrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310039002000670065006e00740069006c006b0069007700690020002800420065006e006a0061006d0069006e002000440045004c005000590029 } /* LegalCopyright CopyrightcgentilkiwiBenjaminDELPY */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperatingsystem_6908 { meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570041004e0020005400720061006e00730070006f007200740020004400720069007600650072 } /* FileDescription WANTransportDriver */ @@ -283,7 +592,7 @@ rule MAL_Driver_Gmer_Gmersys_Gmer_18C9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" - date = "2023-07-14" + date = "2023-07-31" score = 85 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004d00450052002000440072006900760065007200200068007400740070003a002f002f007700770077002e0067006d00650072002e006e00650074 } /* FileDescription GMERDriverhttpwwwgmernet */ @@ -297,3 +606,20 @@ rule MAL_Driver_Gmer_Gmersys_Gmer_18C9 { condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } + + +rule MAL_Driver_773B { + meta: + description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894" + date = "2023-07-31" + score = 85 + strings: + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0031002e0030 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d002000320030003100370020 } /* LegalCopyright Copyrightc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} diff --git a/detections/yara/yara-rules_vuln_drivers.yar b/detections/yara/yara-rules_vuln_drivers.yar index b39fb4fc8..62c59d946 100644 --- a/detections/yara/yara-rules_vuln_drivers.yar +++ b/detections/yara/yara-rules_vuln_drivers.yar @@ -1,11 +1,121 @@ +rule PUA_VULN_Driver_Novellinc_Novellxtier_EC13 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613" + hash = "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_5EA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07" + hash = "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11" + hash = "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7" + hash = "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb" + hash = "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6" + hash = "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432" + hash = "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09" + hash = "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" + hash = "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8" + hash = "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285" + hash = "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29" + hash = "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47" + hash = "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_D807 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e" + hash = "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17" + hash = "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_7462 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f" + hash = "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230" + hash = "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e" + hash = "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56" + hash = "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4" + hash = "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d" + hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" + hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" + hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ + condition: + all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -27,7 +137,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -50,7 +160,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -73,7 +183,7 @@ rule PUA_VULN_Driver_Yyinc_Dianhu_BB50 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ @@ -93,7 +203,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ @@ -111,12 +221,14 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" + hash = "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96" + hash = "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027" hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -138,11 +250,12 @@ rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_6948 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" + hash = "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb" hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f" hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ @@ -171,7 +284,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_FF11 { hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" hash = "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee" hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -187,6 +300,105 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_FF11 { } +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbsys_Virtualboxusbdriver_5B26 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_8E92 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c" + hash = "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51" + hash = "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4" + hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" + hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd" + hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097" + hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" + hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" + hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_7D4C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0031002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003000200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd" + hash = "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266" + hash = "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270" + hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -194,7 +406,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ @@ -217,7 +429,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -239,7 +451,7 @@ rule PUA_VULN_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ @@ -262,7 +474,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EE3F { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -284,7 +496,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -306,7 +518,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -322,13 +534,35 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { } +rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1023 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -346,11 +580,11 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -366,6 +600,39 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_65DE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377" + hash = "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0" + hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" + hash = "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832" + hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" + hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" + hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" + hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" + hash = "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547" + hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5" + hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" + hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys" @@ -373,7 +640,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D reference = "https://github.com/magicsword-io/LOLDrivers" hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ @@ -395,7 +662,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -417,7 +684,7 @@ rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ @@ -433,6 +700,54 @@ rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_66A2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796" + hash = "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4" + hash = "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_0B54 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182" + hash = "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672" + hash = "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01" + hash = "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys" @@ -440,7 +755,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -456,6 +771,30 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756" + hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837" + hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006500690067006f00640020006e006500740020006400610074006100200063006100740063006800650072002e } /* FileDescription Leigodnetdatacatcher */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* InternalName LgDataCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470061006d0065004100630063 } /* ProductName GameAcc */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* OriginalFilename LgDataCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002000320030003200300020006e006e002e0063006f006d } /* LegalCopyright Copyrightnncom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Bsmisys_552F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMIx64.sys" @@ -463,7 +802,7 @@ rule PUA_VULN_Driver_Bsmisys_552F { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ @@ -486,7 +825,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntam hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be" hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ @@ -508,7 +847,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3070 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ @@ -530,7 +869,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -552,7 +891,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -574,18 +913,25 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" + hash = "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa" hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" + hash = "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220" hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" + hash = "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d" hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" + hash = "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e" + hash = "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6" + hash = "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b" hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" + hash = "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc" hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -607,7 +953,7 @@ rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ @@ -623,13 +969,37 @@ rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_F77F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e" + hash = "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1" + hash = "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd" + hash = "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - krpocesshacker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -644,15 +1014,72 @@ rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 { } -rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_5C04 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_3140 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" + hash = "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928" + hash = "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7" + hash = "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746" + hash = "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915" + hash = "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_47E3 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d" + hash = "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0" + hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9" + hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b" + hash = "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec" + hash = "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1" + hash = "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3" + hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_5C04 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" + hash = "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad" + hash = "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0" + hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" - date = "2023-07-14" + hash = "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ @@ -674,7 +1101,7 @@ rule PUA_VULN_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagno author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ @@ -697,7 +1124,7 @@ rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_E75 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ @@ -713,6 +1140,29 @@ rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_E75 } +rule PUA_VULN_Driver_Novellinc_Novellxtier_E728 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717" + hash = "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00" + hash = "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" @@ -721,7 +1171,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -737,34 +1187,6 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_C3E1 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" - hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" - hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" - hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" - hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" - hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - all of them -} - - rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_1792 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" @@ -772,8 +1194,9 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" + hash = "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3" hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -795,10 +1218,15 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3" + hash = "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb" hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" + hash = "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1" + hash = "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4" + hash = "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba" hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" + hash = "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768" hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -820,7 +1248,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -842,7 +1270,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -864,9 +1292,17 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" + hash = "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6" + hash = "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f" + hash = "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c" + hash = "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7" + hash = "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8" + hash = "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d" hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" + hash = "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70" + hash = "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881" hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -888,9 +1324,12 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_2E66 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" + hash = "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763" hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" + hash = "5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa" hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" - date = "2023-07-14" + hash = "202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -911,10 +1350,12 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_8D57 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" + hash = "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a" hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c" - date = "2023-07-14" + hash = "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -936,7 +1377,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -952,6 +1393,38 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9 } +rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D03 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146" + hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" + hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" + hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" + hash = "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854" + hash = "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341" + hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" + hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" + hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" + hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" + hash = "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9521 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -988,7 +1461,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9521 { hash = "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449" hash = "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504" hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -1012,7 +1485,8 @@ rule PUA_VULN_Driver_Asustek_Driversys_Ectool_4285 { hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - date = "2023-07-14" + hash = "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ @@ -1028,6 +1502,30 @@ rule PUA_VULN_Driver_Asustek_Driversys_Ectool_4285 { } +rule PUA_VULN_Driver_Netfiltersys_26D6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe" + hash = "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3" + hash = "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_D682 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -1044,7 +1542,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_D hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7" hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" hash = "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1066,7 +1564,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_949 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1082,13 +1580,35 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_949 } +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9E34 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_7CB5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1109,7 +1629,7 @@ rule PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_5A82 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ @@ -1131,7 +1651,7 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -1147,13 +1667,61 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { } +rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsys_Inpoutdriverversion_B8DE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2" + hash = "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507" + hash = "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f" + hash = "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d" + hash = "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* InternalName inpoutsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f00750074003300320020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* OriginalFilename inpoutsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_B9AD { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ @@ -1169,13 +1737,60 @@ rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1228 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003400200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_DD2F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b" + hash = "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49" + hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" + hash = "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee" + hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Dell_Dbutil_71FE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ @@ -1195,10 +1810,13 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_EA0B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf" + hash = "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c" hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a" hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" - date = "2023-07-14" + hash = "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4" + hash = "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ @@ -1214,13 +1832,37 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_EA0B { } +rule PUA_VULN_Driver_Netfiltersys_7FF8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4" + hash = "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af" + hash = "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ @@ -1242,7 +1884,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -1264,7 +1906,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1280,13 +1922,71 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } +rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_F7E0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686" + hash = "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33" + hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" + hash = "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c" + hash = "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f" + hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" + hash = "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f" + hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" + hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" + hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" + hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" + hash = "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486" + hash = "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585" + hash = "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091" + hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + all of them +} + + rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -1309,7 +2009,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1332,7 +2032,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1354,7 +2054,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1370,22 +2070,69 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_C190 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - date = "2023-07-14" + hash = "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e0031002e003500200028003200300030003600300038003200380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_DAF5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5" + hash = "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc" + hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" + hash = "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b" + hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: all of them @@ -1398,7 +2145,7 @@ rule PUA_VULN_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ @@ -1420,7 +2167,7 @@ rule PUA_VULN_Driver_Copyright_Advancedmalwareprotection_6F55 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ @@ -1443,7 +2190,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_D636 { hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -1459,13 +2206,44 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_D636 { } +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_405A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1" + hash = "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a" + hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" + hash = "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498" + hash = "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663" + hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" + hash = "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44" + hash = "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02" + hash = "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59" + hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1481,6 +2259,28 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_76AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000380020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Novellinc_Novellxtier_AB09 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" @@ -1489,8 +2289,10 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_AB09 { hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" + hash = "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750" + hash = "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229" hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ @@ -1505,41 +2307,13 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_AB09 { } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_DEEC { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" - hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" - hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" - hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" - hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" - hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" - hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - all of them -} - - rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ @@ -1560,7 +2334,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -1576,13 +2350,36 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_003E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4" + hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" + hash = "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_7661 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1595,13 +2392,35 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_7661 { } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_965D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -1617,13 +2436,36 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_653F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d" + hash = "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6" + hash = "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_7D43 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1645,7 +2487,7 @@ rule PUA_VULN_Driver_Pchuntersys_Pchunter_1B7F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ @@ -1667,9 +2509,13 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" + hash = "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5" hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" + hash = "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248" hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" - date = "2023-07-14" + hash = "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce" + hash = "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -1692,7 +2538,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ @@ -1708,13 +2554,37 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_1B17 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" - date = "2023-07-14" + hash = "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75" + hash = "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -1736,7 +2606,7 @@ rule PUA_VULN_Driver_Wj_Kprocesshacker_7021 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -1757,7 +2627,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -1773,13 +2643,38 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { } +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_8ED0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047" + hash = "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21" + hash = "9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be" + hash = "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + all of them +} + + rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ @@ -1801,7 +2696,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -1823,7 +2718,7 @@ rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ @@ -1839,13 +2734,36 @@ rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { } +rule PUA_VULN_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_A072 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrSetupDrv103.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" + hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* FileDescription AsrSetupDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* InternalName AsrSetupDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* ProductName AsrSetupDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* OriginalFilename AsrSetupDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -1861,13 +2779,35 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { } +rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_9833 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_8CFD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1889,7 +2829,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -1905,13 +2845,64 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { } +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_AD8F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7" + hash = "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_0F3E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e" + hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176" + hash = "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2" + hash = "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0" + hash = "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd" + hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090" + hash = "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e0037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1933,7 +2924,7 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -1948,6 +2939,31 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_6B71 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7" + hash = "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d" + hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" + hash = "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b" + hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys" @@ -1955,7 +2971,7 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -1977,7 +2993,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -1993,13 +3009,60 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster } +rule PUA_VULN_Driver_Innotekgmbh_Vboxusbmonsys_Virtualboxusbmonitordriver_3D05 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_4C2D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61" + hash = "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757" + hash = "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53" + hash = "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310038002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2021,7 +3084,7 @@ rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -2037,6 +3100,28 @@ rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_83A1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3FF3 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -2044,7 +3129,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2060,13 +3145,39 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 } +rule PUA_VULN_Driver_Novellinc_Novellxtier_1493 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c" + hash = "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce" + hash = "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f" + hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" + hash = "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53" + hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -2088,7 +3199,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -2110,7 +3221,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_D7E0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2130,7 +3241,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2152,7 +3263,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2175,7 +3286,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2191,13 +3302,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_EC9B { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ @@ -2219,7 +3352,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -2235,25 +3368,23 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_E0B5 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7702 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" - hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" - hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" - date = "2023-07-14" + hash = "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: all of them } @@ -2265,7 +3396,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2283,11 +3414,11 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { rule PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IObitUnlocker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ @@ -2309,7 +3440,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -2331,7 +3462,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -2353,7 +3484,7 @@ rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ @@ -2367,13 +3498,35 @@ rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_F629 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65" + hash = "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_45F4 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2392,7 +3545,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2414,7 +3567,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -2430,13 +3583,57 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D } +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_4ED2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e00320030003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_CFA2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e002000260020004f00740068006500720073 } /* LegalCopyright SunMicrosystemsIncOthers */ + condition: + all of them +} + + rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -2452,13 +3649,57 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_88FB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_4AE4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv_1_0_32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_F6CD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -2474,23 +3715,23 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster } -rule PUA_VULN_Driver_Novellinc_Novellxtier_B37B { +rule PUA_VULN_Driver_Innotekgmbh_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_994F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" - hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" - date = "2023-07-14" + hash = "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048002000260020004f00740068006500720073 } /* LegalCopyright innotekGmbHOthers */ condition: all of them } @@ -2502,7 +3743,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2524,7 +3765,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -2547,7 +3788,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D reference = "https://github.com/magicsword-io/LOLDrivers" hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -2563,13 +3804,36 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D } +rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a" + hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + all of them +} + + rule PUA_VULN_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ @@ -2591,7 +3855,7 @@ rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physi author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ @@ -2607,13 +3871,37 @@ rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physi } +rule PUA_VULN_Driver_Novellinc_Novellxtier_D04C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4" + hash = "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458" + hash = "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5" + hash = "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ @@ -2631,11 +3919,11 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2657,8 +3945,11 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_6C71 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" + hash = "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7" + hash = "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451" + hash = "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f" hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ @@ -2679,7 +3970,7 @@ rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -2702,7 +3993,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_0005 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -2724,7 +4015,7 @@ rule PUA_VULN_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversi author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ @@ -2746,7 +4037,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2762,6 +4053,28 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { } +rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_98EC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" @@ -2772,7 +4085,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c" hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -2795,7 +4108,7 @@ rule PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_BB11 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ @@ -2817,7 +4130,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2833,13 +4146,59 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_0BD1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_1FAC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718" + hash = "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de" + hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2855,13 +4214,35 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { } +rule PUA_VULN_Driver_Netfiltersys_F171 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e0038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2884,7 +4265,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2906,7 +4287,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2929,7 +4310,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -2951,7 +4332,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2973,7 +4354,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2986,41 +4367,13 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { } -rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_950A { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrOmgDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" - hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" - hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" - hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" - hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" - hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ - condition: - all of them -} - - rule PUA_VULN_Driver_Zemanaltd_Zam_E428 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3044,7 +4397,7 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_0AAF { hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a" hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ @@ -3060,23 +4413,45 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_0AAF { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_CF31 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_CBF7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" - hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" - date = "2023-07-14" + hash = "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e00640072006100200044006500760069006300650020004400720069007600650072002000280049004100360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverIAUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1284 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0032002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0032002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: all of them } @@ -3088,7 +4463,7 @@ rule PUA_VULN_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ @@ -3110,7 +4485,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_2BBC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3129,7 +4504,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -3145,35 +4520,13 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_93D8 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ - condition: - all of them -} - - rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3195,7 +4548,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3217,7 +4570,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Panca author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -3241,7 +4594,7 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodena hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -3257,38 +4610,13 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodena } -rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_2EF7 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" - hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" - hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" - hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - all of them -} - - rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ @@ -3310,7 +4638,7 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriv author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ @@ -3326,13 +4654,35 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriv } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_F4EE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -3354,7 +4704,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3376,7 +4726,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -3392,37 +4742,13 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { } -rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_1AAA { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" - hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ - condition: - all of them -} - - rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -3444,7 +4770,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3466,7 +4792,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3488,7 +4814,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -3512,7 +4838,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -3528,13 +4854,35 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6E9E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003800300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_A2F4 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -3556,7 +4904,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3580,7 +4928,7 @@ rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxd hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ @@ -3598,11 +4946,11 @@ rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxd rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -3620,11 +4968,11 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3646,7 +4994,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ @@ -3669,7 +5017,7 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_4880 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -3685,13 +5033,59 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_4880 { } +rule PUA_VULN_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f" + hash = "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f0076006500720063006c006f0063006b0069006e00670020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription OverclockingHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* CompanyName OverclockingTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* ProductName OverclockingTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002c00200032003000300035 } /* LegalCopyright CopyrightC */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_0C92 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901" + hash = "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + all of them +} + + rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -3713,7 +5107,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibra author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -3729,13 +5123,57 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibra } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_0DC4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_66F8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e" + hash = "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3751,13 +5189,35 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_D0EB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3773,13 +5233,35 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1F15 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_04A8 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ @@ -3800,7 +5282,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3822,7 +5304,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3844,7 +5326,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancaf author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -3866,7 +5348,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -3888,7 +5370,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3910,7 +5392,7 @@ rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ @@ -3928,11 +5410,11 @@ rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3954,7 +5436,7 @@ rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3978,7 +5460,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_D884 { hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ @@ -4001,7 +5483,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_C reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4023,7 +5505,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -4045,7 +5527,7 @@ rule PUA_VULN_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandp author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ @@ -4067,7 +5549,7 @@ rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -4084,11 +5566,11 @@ rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4104,13 +5586,35 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { } +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_D7C7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4132,7 +5636,7 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcoden author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ @@ -4154,7 +5658,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4170,45 +5674,23 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { } -rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_358A { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ - condition: - all of them -} - - -rule PUA_VULN_Driver_Novellinc_Novellxtier_CE23 { +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_1E94 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" - date = "2023-07-14" + hash = "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: all of them } @@ -4220,7 +5702,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_3C18 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -4239,7 +5721,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4255,13 +5737,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_3E85 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ @@ -4283,7 +5787,7 @@ rule PUA_VULN_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ @@ -4305,7 +5809,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -4321,34 +5825,13 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_8E88 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - all of them -} - - rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B54 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -4370,7 +5853,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4393,7 +5876,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_5439 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -4406,13 +5889,57 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_5439 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_FF1C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003600300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realixtm_Hwinfoisys_Hwinfoiakerneldriver_33C6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO64I.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOIAKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e00370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00370032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* InternalName HWiNFOISYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOIAKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* OriginalFilename HWiNFOISYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100320020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4428,13 +5955,57 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7125 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_E89C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21" + hash = "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ @@ -4456,7 +6027,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibr author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -4472,13 +6043,35 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibr } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_8DCE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -4500,7 +6093,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -4523,7 +6116,7 @@ rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -4539,13 +6132,35 @@ rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { } +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_0452 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ @@ -4567,7 +6182,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4583,6 +6198,28 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_DD62 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d0020004400720069007600650072 } /* FileDescription TrendMicroELAMDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" @@ -4590,7 +6227,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4606,6 +6243,28 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { } +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_DB71 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_7E81 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" @@ -4613,7 +6272,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -4629,23 +6288,63 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster } +rule PUA_VULN_Driver_Novellinc_Novellxtier_6CF1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310030002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - date = "2023-07-14" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000370020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_3F20 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - pchunter.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390036 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000370020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]7cfb7edf4fe1606f67e5770b5de55177 } /* FileDescription */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8982af7f5176feff0853174eacff0979d1628067099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0037 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310039002d003200300032003100200041006e00580069006e00530065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CAnXinSecCorporationAllRightsReserved */ condition: all of them } @@ -4657,7 +6356,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -4679,7 +6378,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ @@ -4695,13 +6394,35 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9CA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -4723,7 +6444,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4745,7 +6466,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ @@ -4767,7 +6488,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -4789,7 +6510,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -4811,7 +6532,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4827,13 +6548,57 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4E54 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000390020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_A6F7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e00320030003100320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e0032003000310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0F01 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4849,13 +6614,57 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbmonsys_Virtualboxusbmonitordriver_8A24 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_033C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4878,7 +6687,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_47EA { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -4900,7 +6709,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ @@ -4922,7 +6731,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ @@ -4938,13 +6747,35 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5148 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003300200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ @@ -4960,13 +6791,35 @@ rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { } +rule PUA_VULN_Driver_Proxydrvsys_Nn_0B20 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c00330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4988,7 +6841,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5010,7 +6863,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5032,7 +6885,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5048,13 +6901,36 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { } +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_442C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c" + hash = "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_9A95 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5073,7 +6949,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5095,7 +6971,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5117,7 +6993,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5133,6 +7009,50 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4AC0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003900300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00390030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Logitech_Lgcoretempsys_Lgcoretemp_E0CB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgCoreTemp.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430050005500200043006f00720065002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription CPUCoreTemperatureMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f006700690074006500630068 } /* CompanyName Logitech */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* InternalName LgCoreTempsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070 } /* ProductName LgCoreTemp */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* OriginalFilename LgCoreTempsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004c006f006700690074006500630068002c00200049006e0063 } /* LegalCopyright CopyrightLogitechInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" @@ -5140,7 +7060,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5156,13 +7076,56 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { } +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_7A2C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e003100200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_16B5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5184,7 +7147,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5206,7 +7169,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ @@ -5228,7 +7191,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5250,7 +7213,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5268,11 +7231,11 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5295,7 +7258,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -5311,13 +7274,35 @@ rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD { } +rule PUA_VULN_Driver_Genitlkiwibenjaminxxxxx_Titidrv_Titidrvtiticatz_208E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - titidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007400690074006900640072007600200066006f0072002000570069006e0064006f00770073002000280074006900740069006300610074007a0029 } /* FileDescription titidrvforWindowstiticatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* CompanyName genitlkiwiBenjaminXXXXX */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0074006900740069006400720076 } /* InternalName titidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0074006900740069006400720076002000280074006900740069006300610074007a0029 } /* ProductName titidrvtiticatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0074006900740069006400720076002e007300790073 } /* OriginalFilename titidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* LegalCopyright CopyrightcgenitlkiwiBenjaminXXXXX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5339,7 +7324,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5355,13 +7340,37 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { } +rule PUA_VULN_Driver_Netfiltersys_79E7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617" + hash = "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed" + hash = "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f56689a7152a865874ef6 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5383,7 +7392,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5405,7 +7414,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5427,7 +7436,7 @@ rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ @@ -5449,7 +7458,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5471,7 +7480,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5487,13 +7496,35 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7CF7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -5515,7 +7546,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5531,13 +7562,35 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_828A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5559,7 +7612,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5581,7 +7634,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5603,7 +7656,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5625,7 +7678,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9254 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ @@ -5647,7 +7700,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -5669,7 +7722,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5691,7 +7744,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5713,7 +7766,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5735,7 +7788,7 @@ rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ @@ -5750,13 +7803,35 @@ rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_1E9C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7" + hash = "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -5772,13 +7847,35 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 } +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_A209 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + condition: + all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5800,7 +7897,7 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -5822,7 +7919,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5844,7 +7941,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -5866,7 +7963,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_8FE9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5885,7 +7982,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5907,7 +8004,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5923,13 +8020,57 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { } +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_0EAB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_D53F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5945,13 +8086,35 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5967,13 +8130,57 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { } +rule PUA_VULN_Driver_Innotekgmbh_Iprt_Virtualboxguestadditions_BBF5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxMouseNT.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200069003800300034003200200050006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxiPortDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00690038003000340032007000720074 } /* InternalName iprt */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004d006f007500730065004e0054002e007300790073 } /* OriginalFilename VBoxMouseNTsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Proxydrvsys_Nn_C0E7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5995,7 +8202,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6011,13 +8218,35 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F42E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -6039,7 +8268,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -6055,13 +8284,35 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { } +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_B9AE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -6077,13 +8328,78 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { } +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_38D6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_B205 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys " + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_CA34 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760032002e003000200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + all of them +} + + rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ @@ -6105,7 +8421,7 @@ rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonito author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ @@ -6121,13 +8437,57 @@ rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonito } +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_8EF5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e00320030003100350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e0032003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6149,7 +8509,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6171,7 +8531,7 @@ rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwrit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ @@ -6187,35 +8547,13 @@ rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwrit } -rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_CF69 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ - condition: - all of them -} - - rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -6231,13 +8569,35 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_E505 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + all of them +} + + rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ @@ -6255,11 +8615,11 @@ rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -6275,13 +8635,35 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { } +rule PUA_VULN_Driver_Innotekgmbh_Vboxusbsys_Virtualboxusbdriver_C509 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ @@ -6303,7 +8685,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6325,7 +8707,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -6347,7 +8729,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6363,13 +8745,35 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_AF16 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003200200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_FF96 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -6391,7 +8795,7 @@ rule PUA_VULN_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ @@ -6413,7 +8817,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6429,13 +8833,35 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { } +rule PUA_VULN_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* CompanyName NetFilterSDKcom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* InternalName LgDCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0065007400460069006c007400650072002000530044004b } /* ProductName NetFilterSDK */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* OriginalFilename LgDCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003f0020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ @@ -6457,7 +8883,7 @@ rule PUA_VULN_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprov author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ @@ -6479,7 +8905,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -6501,7 +8927,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ diff --git a/detections/yara/yara-rules_vuln_drivers_strict.yar b/detections/yara/yara-rules_vuln_drivers_strict.yar index e31cfda4f..795ddefea 100644 --- a/detections/yara/yara-rules_vuln_drivers_strict.yar +++ b/detections/yara/yara-rules_vuln_drivers_strict.yar @@ -1,11 +1,121 @@ +rule PUA_VULN_Driver_Novellinc_Novellxtier_EC13 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613" + hash = "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_5EA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07" + hash = "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11" + hash = "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7" + hash = "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb" + hash = "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6" + hash = "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432" + hash = "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09" + hash = "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" + hash = "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8" + hash = "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285" + hash = "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29" + hash = "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47" + hash = "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_D807 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e" + hash = "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17" + hash = "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_7462 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f" + hash = "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230" + hash = "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e" + hash = "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56" + hash = "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4" + hash = "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d" + hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" + hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" + hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ + condition: + uint16(0) == 0x5a4d and filesize < 2900KB and all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -27,7 +137,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -50,7 +160,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -73,7 +183,7 @@ rule PUA_VULN_Driver_Yyinc_Dianhu_BB50 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ @@ -93,7 +203,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ @@ -111,12 +221,14 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" + hash = "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96" + hash = "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027" hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -138,11 +250,12 @@ rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_6948 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" + hash = "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb" hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f" hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ @@ -171,7 +284,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_FF11 { hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" hash = "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee" hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -187,6 +300,105 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_FF11 { } +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbsys_Virtualboxusbdriver_5B26 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_8E92 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c" + hash = "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51" + hash = "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4" + hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" + hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd" + hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097" + hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" + hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" + hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_7D4C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0031002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003000200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd" + hash = "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266" + hash = "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270" + hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -194,7 +406,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ @@ -217,7 +429,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -239,7 +451,7 @@ rule PUA_VULN_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ @@ -262,7 +474,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EE3F { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -284,7 +496,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -306,7 +518,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -322,13 +534,35 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { } +rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1023 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -346,11 +580,11 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -366,6 +600,39 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_65DE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377" + hash = "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0" + hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" + hash = "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832" + hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" + hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" + hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" + hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" + hash = "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547" + hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5" + hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" + hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys" @@ -373,7 +640,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D reference = "https://github.com/magicsword-io/LOLDrivers" hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ @@ -395,7 +662,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -417,7 +684,7 @@ rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ @@ -433,6 +700,54 @@ rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_66A2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796" + hash = "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4" + hash = "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_0B54 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182" + hash = "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672" + hash = "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01" + hash = "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys" @@ -440,7 +755,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -456,6 +771,30 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { } +rule PUA_VULN_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756" + hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837" + hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006500690067006f00640020006e006500740020006400610074006100200063006100740063006800650072002e } /* FileDescription Leigodnetdatacatcher */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* InternalName LgDataCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470061006d0065004100630063 } /* ProductName GameAcc */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* OriginalFilename LgDataCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002000320030003200300020006e006e002e0063006f006d } /* LegalCopyright Copyrightnncom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Bsmisys_552F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMIx64.sys" @@ -463,7 +802,7 @@ rule PUA_VULN_Driver_Bsmisys_552F { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ @@ -486,7 +825,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntam hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be" hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ @@ -508,7 +847,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3070 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ @@ -530,7 +869,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -552,7 +891,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -574,18 +913,25 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" + hash = "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa" hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" + hash = "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220" hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" + hash = "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d" hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" + hash = "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e" + hash = "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6" + hash = "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b" hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" + hash = "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc" hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -607,7 +953,7 @@ rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ @@ -623,13 +969,37 @@ rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_F77F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e" + hash = "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1" + hash = "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd" + hash = "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - krpocesshacker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -644,15 +1014,72 @@ rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 { } -rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_5C04 { +rule PUA_VULN_Driver_Novellinc_Novellxtier_3140 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" - hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" - date = "2023-07-14" + hash = "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928" + hash = "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7" + hash = "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746" + hash = "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915" + hash = "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_47E3 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d" + hash = "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0" + hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9" + hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b" + hash = "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec" + hash = "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1" + hash = "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3" + hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_5C04 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" + hash = "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad" + hash = "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0" + hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" + hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" + hash = "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ @@ -674,7 +1101,7 @@ rule PUA_VULN_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagno author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ @@ -697,7 +1124,7 @@ rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_E75 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ @@ -713,6 +1140,29 @@ rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_E75 } +rule PUA_VULN_Driver_Novellinc_Novellxtier_E728 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717" + hash = "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00" + hash = "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" @@ -721,7 +1171,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -737,34 +1187,6 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { } -rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_C3E1 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" - hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" - hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" - hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" - hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" - hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_1792 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" @@ -772,8 +1194,9 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" + hash = "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3" hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -795,10 +1218,15 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3" + hash = "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb" hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" + hash = "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1" + hash = "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4" + hash = "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba" hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" + hash = "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768" hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -820,7 +1248,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -842,7 +1270,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -864,9 +1292,17 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" + hash = "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6" + hash = "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f" + hash = "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c" + hash = "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7" + hash = "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8" + hash = "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d" hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" + hash = "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70" + hash = "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881" hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -888,9 +1324,12 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_2E66 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" + hash = "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763" hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" + hash = "5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa" hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" - date = "2023-07-14" + hash = "202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -911,10 +1350,12 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_8D57 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" + hash = "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a" hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c" - date = "2023-07-14" + hash = "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -936,7 +1377,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -952,6 +1393,38 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9 } +rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D03 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146" + hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" + hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" + hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" + hash = "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854" + hash = "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341" + hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" + hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" + hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" + hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" + hash = "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9521 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -988,7 +1461,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9521 { hash = "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449" hash = "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504" hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -1012,7 +1485,8 @@ rule PUA_VULN_Driver_Asustek_Driversys_Ectool_4285 { hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - date = "2023-07-14" + hash = "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ @@ -1028,6 +1502,30 @@ rule PUA_VULN_Driver_Asustek_Driversys_Ectool_4285 { } +rule PUA_VULN_Driver_Netfiltersys_26D6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe" + hash = "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3" + hash = "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_D682 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -1044,7 +1542,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_D hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7" hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" hash = "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1066,7 +1564,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_949 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1082,13 +1580,35 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_949 } +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9E34 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_7CB5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1109,7 +1629,7 @@ rule PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_5A82 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ @@ -1131,7 +1651,7 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -1147,13 +1667,61 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { } +rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsys_Inpoutdriverversion_B8DE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2" + hash = "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507" + hash = "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f" + hash = "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d" + hash = "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* InternalName inpoutsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f00750074003300320020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* OriginalFilename inpoutsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_B9AD { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ @@ -1169,13 +1737,60 @@ rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1228 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003400200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_DD2F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b" + hash = "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49" + hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" + hash = "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee" + hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Dell_Dbutil_71FE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ @@ -1195,10 +1810,13 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_EA0B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf" + hash = "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c" hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a" hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" - date = "2023-07-14" + hash = "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4" + hash = "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ @@ -1214,13 +1832,37 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_EA0B { } +rule PUA_VULN_Driver_Netfiltersys_7FF8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4" + hash = "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af" + hash = "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ @@ -1242,7 +1884,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -1264,7 +1906,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1280,13 +1922,71 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } +rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_F7E0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686" + hash = "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33" + hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" + hash = "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c" + hash = "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f" + hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" + hash = "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f" + hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" + hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" + hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" + hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" + hash = "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486" + hash = "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585" + hash = "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091" + hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -1309,7 +2009,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1332,7 +2032,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1354,7 +2054,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1370,21 +2070,68 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { } -rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_C190 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - date = "2023-07-14" + hash = "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e0031002e003500200028003200300030003600300038003200380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_DAF5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5" + hash = "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc" + hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" + hash = "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b" + hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: @@ -1398,7 +2145,7 @@ rule PUA_VULN_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ @@ -1420,7 +2167,7 @@ rule PUA_VULN_Driver_Copyright_Advancedmalwareprotection_6F55 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ @@ -1443,7 +2190,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_D636 { hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -1459,13 +2206,44 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_D636 { } +rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_405A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1" + hash = "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a" + hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" + hash = "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498" + hash = "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663" + hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" + hash = "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44" + hash = "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02" + hash = "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59" + hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1481,6 +2259,28 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_76AF { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000380020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Novellinc_Novellxtier_AB09 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" @@ -1489,8 +2289,10 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_AB09 { hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" + hash = "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750" + hash = "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229" hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ @@ -1505,41 +2307,13 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_AB09 { } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_DEEC { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" - hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" - hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" - hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" - hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" - hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" - hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ @@ -1560,7 +2334,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -1576,13 +2350,36 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_003E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4" + hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" + hash = "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_7661 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1595,13 +2392,35 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_7661 { } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_965D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -1617,13 +2436,36 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_653F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d" + hash = "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6" + hash = "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_7D43 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1645,7 +2487,7 @@ rule PUA_VULN_Driver_Pchuntersys_Pchunter_1B7F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ @@ -1667,9 +2509,13 @@ rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" + hash = "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5" hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" + hash = "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248" hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" - date = "2023-07-14" + hash = "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce" + hash = "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -1692,7 +2538,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ @@ -1708,13 +2554,37 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_1B17 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" - date = "2023-07-14" + hash = "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75" + hash = "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -1736,7 +2606,7 @@ rule PUA_VULN_Driver_Wj_Kprocesshacker_7021 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -1757,7 +2627,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -1773,13 +2643,38 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { } +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_8ED0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047" + hash = "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21" + hash = "9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be" + hash = "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ @@ -1801,7 +2696,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -1823,7 +2718,7 @@ rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ @@ -1839,13 +2734,36 @@ rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB { } +rule PUA_VULN_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_A072 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrSetupDrv103.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" + hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* FileDescription AsrSetupDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* InternalName AsrSetupDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* ProductName AsrSetupDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* OriginalFilename AsrSetupDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -1861,13 +2779,35 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { } +rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_9833 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_8CFD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1889,7 +2829,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -1905,13 +2845,64 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { } +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_AD8F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7" + hash = "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + +rule PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_0F3E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e" + hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176" + hash = "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2" + hash = "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0" + hash = "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd" + hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090" + hash = "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e0037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1933,7 +2924,7 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -1948,6 +2939,31 @@ rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_6B71 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7" + hash = "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d" + hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" + hash = "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b" + hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys" @@ -1955,7 +2971,7 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -1977,7 +2993,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -1993,13 +3009,60 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster } +rule PUA_VULN_Driver_Innotekgmbh_Vboxusbmonsys_Virtualboxusbmonitordriver_3D05 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_4C2D { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61" + hash = "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757" + hash = "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53" + hash = "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310038002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2021,7 +3084,7 @@ rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -2037,6 +3100,28 @@ rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_83A1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3FF3 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -2044,7 +3129,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2060,13 +3145,39 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 } +rule PUA_VULN_Driver_Novellinc_Novellxtier_1493 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c" + hash = "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce" + hash = "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f" + hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" + hash = "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53" + hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -2088,7 +3199,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -2110,7 +3221,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_D7E0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2130,7 +3241,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2152,7 +3263,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2175,7 +3286,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2191,13 +3302,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_EC9B { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ @@ -2219,7 +3352,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -2235,25 +3368,23 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { } -rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_E0B5 { +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7702 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" - hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" - hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" - date = "2023-07-14" + hash = "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -2265,7 +3396,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2283,11 +3414,11 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { rule PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IObitUnlocker.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ @@ -2309,7 +3440,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -2331,7 +3462,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -2353,7 +3484,7 @@ rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ @@ -2367,13 +3498,35 @@ rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_F629 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65" + hash = "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_45F4 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2392,7 +3545,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2414,7 +3567,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -2430,13 +3583,57 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D } +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_4ED2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e00320030003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_CFA2 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e002000260020004f00740068006500720073 } /* LegalCopyright SunMicrosystemsIncOthers */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -2452,13 +3649,57 @@ rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_88FB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_4AE4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv_1_0_32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_F6CD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -2474,23 +3715,23 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster } -rule PUA_VULN_Driver_Novellinc_Novellxtier_B37B { +rule PUA_VULN_Driver_Innotekgmbh_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_994F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" - hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" - date = "2023-07-14" + hash = "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048002000260020004f00740068006500720073 } /* LegalCopyright innotekGmbHOthers */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -2502,7 +3743,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2524,7 +3765,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -2547,7 +3788,7 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D reference = "https://github.com/magicsword-io/LOLDrivers" hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -2563,13 +3804,36 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D } +rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a" + hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ @@ -2591,7 +3855,7 @@ rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physi author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ @@ -2607,13 +3871,37 @@ rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physi } +rule PUA_VULN_Driver_Novellinc_Novellxtier_D04C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4" + hash = "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458" + hash = "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5" + hash = "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ @@ -2631,11 +3919,11 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2657,8 +3945,11 @@ rule PUA_VULN_Driver_Novellinc_Novellxtier_6C71 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" + hash = "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7" + hash = "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451" + hash = "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f" hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ @@ -2679,7 +3970,7 @@ rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -2702,7 +3993,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_0005 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -2724,7 +4015,7 @@ rule PUA_VULN_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversi author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ @@ -2746,7 +4037,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2758,7 +4049,29 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them + uint16(0) == 0x5a4d and filesize < 300KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_98EC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -2772,7 +4085,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c" hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -2795,7 +4108,7 @@ rule PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_BB11 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ @@ -2817,7 +4130,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2833,13 +4146,59 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_0BD1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_1FAC { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718" + hash = "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de" + hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2855,13 +4214,35 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { } +rule PUA_VULN_Driver_Netfiltersys_F171 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e0038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2884,7 +4265,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2906,7 +4287,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2929,7 +4310,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -2951,7 +4332,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2973,7 +4354,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2986,41 +4367,13 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F { } -rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_950A { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrOmgDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" - hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" - hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" - hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" - hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" - hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Zemanaltd_Zam_E428 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3044,7 +4397,7 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_0AAF { hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a" hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ @@ -3060,23 +4413,45 @@ rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_0AAF { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_CF31 { +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_CBF7 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.SYS" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" - hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" - date = "2023-07-14" + hash = "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e00640072006100200044006500760069006300650020004400720069007600650072002000280049004100360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverIAUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1284 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0032002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0032002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -3088,7 +4463,7 @@ rule PUA_VULN_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ @@ -3110,7 +4485,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_2BBC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3129,7 +4504,7 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -3145,35 +4520,13 @@ rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A { } -rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_93D8 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3195,7 +4548,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3217,7 +4570,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Panca author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -3241,7 +4594,7 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodena hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -3257,38 +4610,13 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodena } -rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_2EF7 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" - hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" - hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" - hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ @@ -3310,7 +4638,7 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriv author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ @@ -3326,13 +4654,35 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriv } +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_F4EE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -3354,7 +4704,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3376,7 +4726,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -3392,37 +4742,13 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { } -rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_1AAA { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" - hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them -} - - rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -3444,7 +4770,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3466,7 +4792,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3488,7 +4814,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -3512,7 +4838,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -3528,13 +4854,35 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6E9E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003800300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_A2F4 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -3556,7 +4904,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3580,7 +4928,7 @@ rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxd hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ @@ -3598,11 +4946,11 @@ rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxd rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -3620,11 +4968,11 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3646,7 +4994,7 @@ rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ @@ -3669,7 +5017,7 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_4880 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -3685,13 +5033,59 @@ rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_4880 { } +rule PUA_VULN_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f" + hash = "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f0076006500720063006c006f0063006b0069006e00670020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription OverclockingHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* CompanyName OverclockingTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* ProductName OverclockingTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002c00200032003000300035 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_0C92 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901" + hash = "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -3712,18 +5106,62 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibra description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - date = "2023-07-14" + hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_0DC4 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_66F8 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e" + hash = "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -3731,11 +5169,11 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibra rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3751,13 +5189,35 @@ rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_D0EB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3773,13 +5233,35 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1F15 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_04A8 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ @@ -3800,7 +5282,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3822,7 +5304,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3844,7 +5326,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancaf author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -3866,7 +5348,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -3888,7 +5370,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3910,7 +5392,7 @@ rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ @@ -3928,11 +5410,11 @@ rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3954,7 +5436,7 @@ rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3978,7 +5460,7 @@ rule PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_D884 { hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ @@ -4001,7 +5483,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_C reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4023,7 +5505,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -4045,7 +5527,7 @@ rule PUA_VULN_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandp author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ @@ -4067,7 +5549,7 @@ rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -4084,11 +5566,11 @@ rule PUA_VULN_Driver_Atszio_Atsziodriver_673B { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4104,13 +5586,35 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { } +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_D7C7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4132,7 +5636,7 @@ rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcoden author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ @@ -4154,7 +5658,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4170,45 +5674,23 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { } -rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_358A { +rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_1E94 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - -rule PUA_VULN_Driver_Novellinc_Novellxtier_CE23 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" - date = "2023-07-14" + hash = "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb" + date = "2023-07-31" score = 40 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: uint16(0) == 0x5a4d and filesize < 100KB and all of them } @@ -4220,7 +5702,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_3C18 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -4239,7 +5721,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4255,13 +5737,35 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_3E85 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ @@ -4283,7 +5787,7 @@ rule PUA_VULN_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ @@ -4305,7 +5809,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -4321,34 +5825,13 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { } -rule PUA_VULN_Driver_Novellinc_Novellxtier_8E88 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B54 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -4370,7 +5853,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4393,7 +5876,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_5439 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -4406,13 +5889,57 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_5439 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_FF1C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003600300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realixtm_Hwinfoisys_Hwinfoiakerneldriver_33C6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO64I.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOIAKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e00370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00370032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* InternalName HWiNFOISYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOIAKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* OriginalFilename HWiNFOISYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100320020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4428,13 +5955,57 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7125 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtier_E89C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21" + hash = "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ @@ -4456,7 +6027,7 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibr author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -4472,13 +6043,35 @@ rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibr } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_8DCE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -4500,7 +6093,7 @@ rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -4523,7 +6116,7 @@ rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -4539,13 +6132,35 @@ rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF { } +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_0452 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ @@ -4567,7 +6182,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4583,6 +6198,28 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_DD62 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d0020004400720069007600650072 } /* FileDescription TrendMicroELAMDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" @@ -4590,7 +6227,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4606,6 +6243,28 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { } +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_DB71 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_7E81 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" @@ -4613,7 +6272,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -4629,13 +6288,34 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster } +rule PUA_VULN_Driver_Novellinc_Novellxtier_6CF1 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310030002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ @@ -4647,7 +6327,26 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000370020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_3F20 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - pchunter.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]7cfb7edf4fe1606f67e5770b5de55177 } /* FileDescription */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8982af7f5176feff0853174eacff0979d1628067099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0037 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310039002d003200300032003100200041006e00580069006e00530065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CAnXinSecCorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 700KB and all of them } @@ -4657,7 +6356,7 @@ rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -4679,7 +6378,7 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ @@ -4695,13 +6394,35 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9CA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -4723,7 +6444,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4745,7 +6466,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ @@ -4767,7 +6488,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -4789,7 +6510,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -4811,7 +6532,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4827,13 +6548,57 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4E54 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000390020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_A6F7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e00320030003100320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e0032003000310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0F01 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4849,13 +6614,57 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ } +rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbmonsys_Virtualboxusbmonitordriver_8A24 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_033C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4878,7 +6687,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_47EA { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -4900,7 +6709,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ @@ -4922,7 +6731,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ @@ -4938,13 +6747,35 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5148 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003300200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ @@ -4960,13 +6791,35 @@ rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 { } +rule PUA_VULN_Driver_Proxydrvsys_Nn_0B20 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c00330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4988,7 +6841,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5010,7 +6863,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5032,7 +6885,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5048,13 +6901,36 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { } +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_442C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c" + hash = "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Zemanaltd_Zam_9A95 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5073,7 +6949,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5095,7 +6971,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5117,7 +6993,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5133,6 +7009,50 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4AC0 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003900300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00390030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Logitech_Lgcoretempsys_Lgcoretemp_E0CB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgCoreTemp.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430050005500200043006f00720065002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription CPUCoreTemperatureMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f006700690074006500630068 } /* CompanyName Logitech */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* InternalName LgCoreTempsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070 } /* ProductName LgCoreTemp */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* OriginalFilename LgCoreTempsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004c006f006700690074006500630068002c00200049006e0063 } /* LegalCopyright CopyrightLogitechInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" @@ -5140,7 +7060,7 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5156,13 +7076,56 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { } +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_7A2C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e003100200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_16B5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5184,7 +7147,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5206,7 +7169,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ @@ -5228,7 +7191,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5250,7 +7213,7 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5268,11 +7231,11 @@ rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5295,7 +7258,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -5311,13 +7274,35 @@ rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD { } +rule PUA_VULN_Driver_Genitlkiwibenjaminxxxxx_Titidrv_Titidrvtiticatz_208E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - titidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007400690074006900640072007600200066006f0072002000570069006e0064006f00770073002000280074006900740069006300610074007a0029 } /* FileDescription titidrvforWindowstiticatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* CompanyName genitlkiwiBenjaminXXXXX */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0074006900740069006400720076 } /* InternalName titidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0074006900740069006400720076002000280074006900740069006300610074007a0029 } /* ProductName titidrvtiticatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0074006900740069006400720076002e007300790073 } /* OriginalFilename titidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* LegalCopyright CopyrightcgenitlkiwiBenjaminXXXXX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5339,7 +7324,7 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5355,13 +7340,37 @@ rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 { } +rule PUA_VULN_Driver_Netfiltersys_79E7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617" + hash = "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed" + hash = "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f56689a7152a865874ef6 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5383,7 +7392,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5405,7 +7414,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5427,7 +7436,7 @@ rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ @@ -5449,7 +7458,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5471,7 +7480,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5487,13 +7496,35 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7CF7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -5515,7 +7546,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5531,13 +7562,35 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_828A { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5559,7 +7612,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5581,7 +7634,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5603,7 +7656,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5625,7 +7678,7 @@ rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9254 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ @@ -5647,7 +7700,7 @@ rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -5669,7 +7722,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5691,7 +7744,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5713,7 +7766,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5735,7 +7788,7 @@ rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ @@ -5750,13 +7803,35 @@ rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 { } +rule PUA_VULN_Driver_Novellinc_Novellxtier_1E9C { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7" + hash = "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -5772,13 +7847,35 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 } +rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_A209 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5800,7 +7897,7 @@ rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -5822,7 +7919,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5844,7 +7941,7 @@ rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmaster author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -5866,7 +7963,7 @@ rule PUA_VULN_Driver_Zemanaltd_Zam_8FE9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5885,7 +7982,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5907,7 +8004,7 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5923,13 +8020,57 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { } +rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_0EAB { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_D53F { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5945,13 +8086,35 @@ rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { } +rule PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5967,13 +8130,57 @@ rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { } +rule PUA_VULN_Driver_Innotekgmbh_Iprt_Virtualboxguestadditions_BBF5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxMouseNT.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200069003800300034003200200050006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxiPortDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00690038003000340032007000720074 } /* InternalName iprt */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004d006f007500730065004e0054002e007300790073 } /* OriginalFilename VBoxMouseNTsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Proxydrvsys_Nn_C0E7 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them +} + + rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5995,7 +8202,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6011,13 +8218,35 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_B } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F42E { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -6039,7 +8268,7 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -6055,13 +8284,35 @@ rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { } +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_B9AE { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -6077,13 +8328,78 @@ rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { } +rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_38D6 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_B205 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys " + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_CA34 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760032002e003000200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ @@ -6105,7 +8421,7 @@ rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonito author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ @@ -6121,13 +8437,57 @@ rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonito } +rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + +rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_8EF5 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e00320030003100350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e0032003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6149,7 +8509,7 @@ rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6171,7 +8531,7 @@ rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwrit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ @@ -6187,35 +8547,13 @@ rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwrit } -rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_CF69 { - meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" - date = "2023-07-14" - score = 40 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them -} - - rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -6231,13 +8569,35 @@ rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E } +rule PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_E505 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ @@ -6255,11 +8615,11 @@ rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B { rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { meta: - description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -6275,13 +8635,35 @@ rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { } +rule PUA_VULN_Driver_Innotekgmbh_Vboxusbsys_Virtualboxusbdriver_C509 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ @@ -6303,7 +8685,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6325,7 +8707,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -6347,7 +8729,7 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6363,13 +8745,35 @@ rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { } +rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_AF16 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003200200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_FF96 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -6391,7 +8795,7 @@ rule PUA_VULN_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ @@ -6413,7 +8817,7 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6429,13 +8833,35 @@ rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { } +rule PUA_VULN_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42 { + meta: + description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" + date = "2023-07-31" + score = 40 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* CompanyName NetFilterSDKcom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* InternalName LgDCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0065007400460069006c007400650072002000530044004b } /* ProductName NetFilterSDK */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* OriginalFilename LgDCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003f0020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them +} + + rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ @@ -6457,7 +8883,7 @@ rule PUA_VULN_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprov author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ @@ -6479,7 +8905,7 @@ rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -6501,7 +8927,7 @@ rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - date = "2023-07-14" + date = "2023-07-31" score = 40 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ diff --git a/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar b/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar index 185f5d6de..e4d58dc91 100644 --- a/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +++ b/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar @@ -1,11 +1,121 @@ +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_EC13 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613" + hash = "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + +rule PUA_VULN_Renamed_Driver_Iobit_Iobitunlockersys_Iobitunlocker_5EA5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07" + hash = "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11" + hash = "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7" + hash = "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb" + hash = "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6" + hash = "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432" + hash = "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09" + hash = "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae" + hash = "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8" + hash = "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285" + hash = "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29" + hash = "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47" + hash = "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f0062006900740055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription IObitUnlockerDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072 } /* ProductName IObitUnlocker */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0049004f00620069007400200043006f0070007900720069006700680074002000a900200032003000300035002d0032003000310033 } /* LegalCopyright IObitCopyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iobitunlocker/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_D807 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e" + hash = "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17" + hash = "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Powertool_Kevpsys_Powertool_7462 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f" + hash = "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230" + hash = "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e" + hash = "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56" + hash = "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4" + hash = "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d" + hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" + hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" + hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ + condition: + uint16(0) == 0x5a4d and filesize < 2900KB and all of them and not filename matches /kEvP64/i +} + + rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -27,7 +137,7 @@ rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -50,7 +160,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -73,7 +183,7 @@ rule PUA_VULN_Renamed_Driver_Yyinc_Dianhu_BB50 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */ @@ -93,7 +203,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */ @@ -111,12 +221,14 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CF4B { rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00" + hash = "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96" + hash = "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027" hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -128,7 +240,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -138,11 +250,12 @@ rule PUA_VULN_Renamed_Driver_Phoenixtechnologies_Agentsys_Driveragent_6948 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa" + hash = "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb" hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f" hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */ @@ -171,7 +284,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_FF11 { hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" hash = "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee" hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -187,6 +300,105 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_FF11 { } +rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxusbsys_Virtualboxusbdriver_5B26 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSB/i +} + + +rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_8E92 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c" + hash = "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51" + hash = "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4" + hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" + hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd" + hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097" + hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" + hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" + hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + +rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_7D4C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0031002e0030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003000200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NCHGBIOS2x64/i +} + + +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd" + hash = "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266" + hash = "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270" + hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -194,7 +406,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_2BBE { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */ @@ -217,7 +429,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -239,7 +451,7 @@ rule PUA_VULN_Renamed_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */ @@ -262,7 +474,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EE3F { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -284,7 +496,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -306,7 +518,7 @@ rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -322,13 +534,35 @@ rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_D205 { } +rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_BE68 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1023 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -346,11 +580,11 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -366,6 +600,39 @@ rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 { } +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_65DE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377" + hash = "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0" + hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" + hash = "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832" + hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" + hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" + hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" + hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" + hash = "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547" + hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5" + hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" + hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys" @@ -373,7 +640,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdr reference = "https://github.com/magicsword-io/LOLDrivers" hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */ @@ -395,7 +662,7 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -417,7 +684,7 @@ rule PUA_VULN_Renamed_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */ @@ -433,6 +700,54 @@ rule PUA_VULN_Renamed_Driver_Cyreninc_Amp_Cyrenamp_CBB8 { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_66A2 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796" + hash = "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4" + hash = "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i +} + + +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_0B54 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182" + hash = "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672" + hash = "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01" + hash = "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100370037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys" @@ -440,7 +755,7 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -456,6 +771,30 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 } +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_07FB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756" + hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837" + hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006500690067006f00640020006e006500740020006400610074006100200063006100740063006800650072002e } /* FileDescription Leigodnetdatacatcher */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* InternalName LgDataCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00470061006d0065004100630063 } /* ProductName GameAcc */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440061007400610043006100740063006800650072002e007300790073 } /* OriginalFilename LgDataCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002000320030003200300020006e006e002e0063006f006d } /* LegalCopyright Copyrightnncom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /LgDataCatcher/i +} + + rule PUA_VULN_Renamed_Driver_Bsmisys_552F { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMIx64.sys" @@ -463,7 +802,7 @@ rule PUA_VULN_Renamed_Driver_Bsmisys_552F { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */ @@ -486,7 +825,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftat hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be" hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */ @@ -508,7 +847,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3070 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */ @@ -530,7 +869,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -552,7 +891,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -574,18 +913,25 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f" + hash = "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa" hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15" + hash = "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220" hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" + hash = "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d" hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe" + hash = "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e" + hash = "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6" + hash = "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b" hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" + hash = "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc" hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1" hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba" hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc" hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512" hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -607,7 +953,7 @@ rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_ author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */ @@ -623,13 +969,37 @@ rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_ } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_F77F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e" + hash = "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1" + hash = "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd" + hash = "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_C725 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - krpocesshacker.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -640,25 +1010,82 @@ rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_C725 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /krpocesshacker/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /kprocesshacker/i } -rule PUA_VULN_Renamed_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_5C04 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_3140 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" - hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" - date = "2023-07-14" + hash = "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928" + hash = "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7" + hash = "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746" + hash = "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915" + hash = "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd" + date = "2023-07-31" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e } /* CompanyName ATITechnologiesInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* ProductVersion */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_47E3 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d" + hash = "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0" + hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9" + hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b" + hash = "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec" + hash = "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1" + hash = "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3" + hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i +} + + +rule PUA_VULN_Renamed_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_5C04 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" + hash = "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad" + hash = "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0" + hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" + hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7" + hash = "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e } /* CompanyName ATITechnologiesInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004900200044006900610067006e006f00730074006900630073 } /* ProductName ATIDiagnostics */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ @@ -674,7 +1101,7 @@ rule PUA_VULN_Renamed_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Leno author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */ @@ -697,7 +1124,7 @@ rule PUA_VULN_Renamed_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsy reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */ @@ -713,6 +1140,29 @@ rule PUA_VULN_Renamed_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsy } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_E728 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717" + hash = "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00" + hash = "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" @@ -721,7 +1171,7 @@ rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -737,34 +1187,6 @@ rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriverfle_55FE { } -rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_C3E1 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e" - hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c" - hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c" - hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e" - hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b" - hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_1792 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" @@ -772,8 +1194,9 @@ rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddk reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" + hash = "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3" hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -795,10 +1218,15 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3" + hash = "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb" hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02" + hash = "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1" + hash = "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4" + hash = "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba" hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" + hash = "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768" hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -820,7 +1248,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -842,7 +1270,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -864,9 +1292,17 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43" + hash = "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6" + hash = "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f" + hash = "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c" + hash = "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7" + hash = "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8" + hash = "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d" hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" + hash = "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70" + hash = "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881" hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -888,9 +1324,12 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_2E66 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" + hash = "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763" hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f" + hash = "5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa" hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" - date = "2023-07-14" + hash = "202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ @@ -911,10 +1350,12 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_8D57 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2" + hash = "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a" hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c" - date = "2023-07-14" + hash = "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -936,7 +1377,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -952,6 +1393,38 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex } +rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D03 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146" + hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" + hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" + hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" + hash = "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854" + hash = "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341" + hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" + hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" + hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" + hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" + hash = "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrDrv/i +} + + rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_9521 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" @@ -988,7 +1461,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_9521 { hash = "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449" hash = "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504" hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -1012,7 +1485,8 @@ rule PUA_VULN_Renamed_Driver_Asustek_Driversys_Ectool_4285 { hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a" hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - date = "2023-07-14" + hash = "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */ @@ -1028,6 +1502,30 @@ rule PUA_VULN_Renamed_Driver_Asustek_Driversys_Ectool_4285 { } +rule PUA_VULN_Renamed_Driver_Netfiltersys_26D6 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe" + hash = "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3" + hash = "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i +} + + rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_D682 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -1044,7 +1542,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7" hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" hash = "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1066,7 +1564,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -1082,13 +1580,35 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy } +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_9E34 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0036003000380037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7CB5 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1109,7 +1629,7 @@ rule PUA_VULN_Renamed_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_5A82 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */ @@ -1131,7 +1651,7 @@ rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -1147,13 +1667,61 @@ rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_C505 { } +rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsys_Inpoutdriverversion_B8DE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2" + hash = "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507" + hash = "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f" + hash = "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d" + hash = "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* InternalName inpoutsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f00750074003300320020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutDriverVersion */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f0075007400330032002e007300790073 } /* OriginalFilename inpoutsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /inpout32/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_B9AD { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */ @@ -1169,13 +1737,60 @@ rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1228 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200031002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003400200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_DD2F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b" + hash = "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49" + hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" + hash = "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee" + hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i +} + + rule PUA_VULN_Renamed_Driver_Dell_Dbutil_71FE { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */ @@ -1195,10 +1810,13 @@ rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_EA0B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf" + hash = "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c" hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a" hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d" - date = "2023-07-14" + hash = "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4" + hash = "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */ @@ -1214,13 +1832,37 @@ rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_EA0B { } +rule PUA_VULN_Renamed_Driver_Netfiltersys_7FF8 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4" + hash = "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af" + hash = "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i +} + + rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */ @@ -1242,7 +1884,7 @@ rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_C author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -1264,7 +1906,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1280,13 +1922,71 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit } +rule PUA_VULN_Renamed_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_F7E0 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686" + hash = "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33" + hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" + hash = "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c" + hash = "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f" + hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" + hash = "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f" + hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" + hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" + hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" + hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" + hash = "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486" + hash = "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585" + hash = "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091" + hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -1309,7 +2009,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex reference = "https://github.com/magicsword-io/LOLDrivers" hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1332,7 +2032,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1354,7 +2054,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -1370,13 +2070,60 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtierforwindows_V_C190 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0035002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e0031002e003500200028003200300030003600300038003200380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i +} + + +rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_DAF5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5" + hash = "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc" + hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" + hash = "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b" + hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiseUnlo/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1398,7 +2145,7 @@ rule PUA_VULN_Renamed_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */ @@ -1420,7 +2167,7 @@ rule PUA_VULN_Renamed_Driver_Copyright_Advancedmalwareprotection_6F55 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */ @@ -1443,7 +2190,7 @@ rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_D hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */ @@ -1459,13 +2206,44 @@ rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_D } +rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_405A { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1" + hash = "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a" + hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" + hash = "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498" + hash = "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663" + hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" + hash = "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44" + hash = "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02" + hash = "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59" + hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -1481,6 +2259,28 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_76AF { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000380020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_AB09 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" @@ -1489,8 +2289,10 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_AB09 { hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48" hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" + hash = "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750" + hash = "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229" hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ @@ -1505,41 +2307,13 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_AB09 { } -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_DEEC { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" - hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63" - hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22" - hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0" - hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775" - hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26" - hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_95D5 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */ @@ -1560,7 +2334,7 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -1576,13 +2350,36 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_003E { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4" + hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" + hash = "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7661 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -1595,13 +2392,35 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7661 { } +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_965D { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx64/i +} + + rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -1617,13 +2436,36 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_653F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d" + hash = "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6" + hash = "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310034002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_7D43 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1645,7 +2487,7 @@ rule PUA_VULN_Renamed_Driver_Pchuntersys_Pchunter_1B7F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */ @@ -1667,9 +2509,13 @@ rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486" + hash = "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5" hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" + hash = "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248" hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961" - date = "2023-07-14" + hash = "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce" + hash = "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -1692,7 +2538,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */ @@ -1708,13 +2554,37 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_1B17 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" - date = "2023-07-14" + hash = "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75" + hash = "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -1736,7 +2606,7 @@ rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_7021 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */ @@ -1757,7 +2627,7 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -1773,13 +2643,38 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F { } +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_8ED0 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047" + hash = "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21" + hash = "9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be" + hash = "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0037003400360035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */ @@ -1801,7 +2696,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -1823,7 +2718,7 @@ rule PUA_VULN_Renamed_Driver_Mydriverscom_Hwm_Drivergenius_08EB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */ @@ -1839,13 +2734,36 @@ rule PUA_VULN_Renamed_Driver_Mydriverscom_Hwm_Drivergenius_08EB { } +rule PUA_VULN_Renamed_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_A072 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrSetupDrv103.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" + hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* FileDescription AsrSetupDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* InternalName AsrSetupDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072005300650074007500700044007200760031003000330020004400720069007600650072 } /* ProductName AsrSetupDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410073007200530065007400750070004400720076003100300033002e007300790073 } /* OriginalFilename AsrSetupDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrSetupDrv103/i +} + + rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -1861,13 +2779,35 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 { } +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_9833 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /vboxguest/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_8CFD { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -1879,29 +2819,80 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i +} + + +rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i +} + + +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_AD8F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7" + hash = "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0039003900380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i } -rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 { +rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_0F3E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - date = "2023-07-14" + hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e" + hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176" + hash = "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2" + hash = "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0" + hash = "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd" + hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090" + hash = "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1" + date = "2023-07-31" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b00200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0039002e0037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /netfilter2/i } @@ -1911,7 +2902,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -1933,7 +2924,7 @@ rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */ @@ -1948,6 +2939,31 @@ rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_A468 { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6B71 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7" + hash = "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d" + hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" + hash = "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b" + hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys" @@ -1955,7 +2971,7 @@ rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -1977,7 +2993,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -1993,13 +3009,60 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz } +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxusbmonsys_Virtualboxusbmonitordriver_3D05 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSBMon/i +} + + +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_4C2D { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61" + hash = "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757" + hash = "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53" + hash = "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003200300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310038002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2021,7 +3084,7 @@ rule PUA_VULN_Renamed_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -2037,6 +3100,28 @@ rule PUA_VULN_Renamed_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_83A1 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200031002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3FF3 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" @@ -2044,7 +3129,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -2060,13 +3145,39 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_1493 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c" + hash = "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce" + hash = "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f" + hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" + hash = "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53" + hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ @@ -2088,7 +3199,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -2110,7 +3221,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_D7E0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2130,7 +3241,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2152,7 +3263,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2175,7 +3286,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2191,13 +3302,35 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_EC9B { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */ @@ -2219,7 +3352,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -2235,27 +3368,25 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 { } -rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_E0B5 { +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7702 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b" - hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4" - hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" - date = "2023-07-14" + hash = "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398" + date = "2023-07-31" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003700300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00370030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i } @@ -2265,7 +3396,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2283,11 +3414,11 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE { rule PUA_VULN_Renamed_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IObitUnlocker.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */ @@ -2299,7 +3430,7 @@ rule PUA_VULN_Renamed_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocke $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /IObitUnlocker/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iobitunlocker/i } @@ -2309,7 +3440,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -2331,7 +3462,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -2353,7 +3484,7 @@ rule PUA_VULN_Renamed_Driver_Multitheftauto_Mtasanandreas_9F4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */ @@ -2367,13 +3498,35 @@ rule PUA_VULN_Renamed_Driver_Multitheftauto_Mtasanandreas_9F4C { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_F629 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65" + hash = "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_45F4 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2392,7 +3545,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2414,7 +3567,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -2430,13 +3583,57 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy } +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_4ED2 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e00320030003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i +} + + +rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_CFA2 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e002000260020004f00740068006500720073 } /* LegalCopyright SunMicrosystemsIncOthers */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxTAP/i +} + + rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */ @@ -2452,13 +3649,57 @@ rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B } +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_88FB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx64/i +} + + +rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_4AE4 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv_1_0_32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f003300320020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076005f0031005f0030005f00330032002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrAutoChkUpdDrv_1_0_32/i +} + + rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_F6CD { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -2474,25 +3715,25 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_B37B { +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxtapsys_Virtualboxhostinterfacenetworkingdriver_994F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" - hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e" - date = "2023-07-14" + hash = "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4" + date = "2023-07-31" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* FileDescription VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002f0032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002f0032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* InternalName VBoxTAPsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200048006f0073007400200049006e00740065007200660061006300650020004e006500740077006f0072006b0069006e00670020004400720069007600650072 } /* ProductName VirtualBoxHostInterfaceNetworkingDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005400410050002e007300790073 } /* OriginalFilename VBoxTAPsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048002000260020004f00740068006500720073 } /* LegalCopyright innotekGmbHOthers */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxTAP/i } @@ -2502,7 +3743,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -2524,7 +3765,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -2547,7 +3788,7 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri reference = "https://github.com/magicsword-io/LOLDrivers" hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -2563,13 +3804,36 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri } +rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a" + hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e00310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiseUnlo/i +} + + rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */ @@ -2591,7 +3855,7 @@ rule PUA_VULN_Renamed_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmems author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */ @@ -2607,13 +3871,37 @@ rule PUA_VULN_Renamed_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmems } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_D04C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4" + hash = "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458" + hash = "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5" + hash = "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310035002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i +} + + rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_E839 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */ @@ -2631,11 +3919,11 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_E839 { rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2647,7 +3935,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -2657,8 +3945,11 @@ rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6C71 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44" + hash = "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7" + hash = "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451" + hash = "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f" hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ @@ -2679,7 +3970,7 @@ rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -2702,7 +3993,7 @@ rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_00 reference = "https://github.com/magicsword-io/LOLDrivers" hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -2724,7 +4015,7 @@ rule PUA_VULN_Renamed_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */ @@ -2746,7 +4037,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -2758,7 +4049,29 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i + uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytes_Elbycdio_Cdrtools_98EC { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f003200300030003000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073 } /* CompanyName ElaborateBytes */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200045006c00610062006f007200610074006500200042007900740065007300200032003000300030 } /* LegalCopyright CopyrightCElaborateBytes */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -2772,7 +4085,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F { hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c" hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -2795,7 +4108,7 @@ rule PUA_VULN_Renamed_Driver_Huawei_Hwosec_Huaweimatebook_BB11 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */ @@ -2817,7 +4130,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2833,13 +4146,59 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 { } +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_0BD1 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i +} + + +rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_1FAC { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718" + hash = "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de" + hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /EIO/i +} + + rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -2851,7 +4210,29 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Netfiltersys_F171 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a0053005100200057004600500020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQWFPDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0037002e0038 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0032002e0039003200300030002e00320030003500350037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f5668 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i } @@ -2861,7 +4242,7 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_074A { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -2884,7 +4265,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -2906,7 +4287,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2929,7 +4310,7 @@ rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5F reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -2951,7 +4332,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -2973,7 +4354,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_DE8F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -2986,41 +4367,13 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_DE8F { } -rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_950A { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrOmgDrv.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9" - hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c" - hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" - hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" - hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" - hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrOmgDrv/i -} - - rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_E428 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3044,7 +4397,7 @@ rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_0 hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a" hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */ @@ -3060,25 +4413,47 @@ rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_0 } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_CF31 { +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_CBF7 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.SYS" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" - hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a" - date = "2023-07-14" + hash = "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183" + date = "2023-07-31" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e00640072006100200044006500760069006300650020004400720069007600650072002000280049004100360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverIAUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i +} + + +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_1284 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0032002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0032002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NICM/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i } @@ -3088,7 +4463,7 @@ rule PUA_VULN_Renamed_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */ @@ -3110,7 +4485,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_2BBC { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -3129,7 +4504,7 @@ rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F1 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */ @@ -3145,35 +4520,13 @@ rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F1 } -rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_93D8 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rzpnk/i -} - - rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3195,7 +4548,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3217,7 +4570,7 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxs author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -3241,7 +4594,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Window hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -3257,38 +4610,13 @@ rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Window } -rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_2EF7 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e" - hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98" - hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" - hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i -} - - rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */ @@ -3310,7 +4638,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserve author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */ @@ -3326,13 +4654,35 @@ rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserve } +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_F4EE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003600340020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300033002e00310031 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800360034002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310033 } /* LegalCopyright CopyrightAlmicoSoftware */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx64/i +} + + rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -3354,7 +4704,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3376,7 +4726,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -3392,37 +4742,13 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF { } -rule PUA_VULN_Renamed_Driver_Powertool_Kevpsys_Powertool_1AAA { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184" - hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */ - condition: - uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /kEvP64/i -} - - rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -3434,7 +4760,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -3444,7 +4770,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3466,7 +4792,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3488,7 +4814,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -3512,7 +4838,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -3528,13 +4854,35 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6E9E { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003800300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00380030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_A2F4 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -3556,7 +4904,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -3580,7 +4928,7 @@ rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_ hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */ @@ -3598,11 +4946,11 @@ rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -3614,17 +4962,17 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3646,7 +4994,7 @@ rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_4 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */ @@ -3669,7 +5017,7 @@ rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_4880 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */ @@ -3681,61 +5029,151 @@ rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_4880 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003200310020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /hw/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /hw/i +} + + +rule PUA_VULN_Renamed_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f" + hash = "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f0076006500720063006c006f0063006b0069006e00670020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription OverclockingHardwareAbstractionSys */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* CompanyName OverclockingTool */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310030002e00320030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f0076006500720063006c006f0063006b0069006e006700200054006f006f006c } /* ProductName OverclockingTool */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002c00200032003000300035 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /atillk64/i +} + + +rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_0C92 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901" + hash = "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e0033003100330037 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310034 } /* LegalCopyright CopyrightC */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /rzpnk/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibrary_F596 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanIO/i } -rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA { +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_0DC4 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - date = "2023-07-14" + hash = "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002c00200030002c00200030002c00200030 } /* ProductVersion */ $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003500200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } -rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibrary_F596 { +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_66F8 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - date = "2023-07-14" + hash = "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e" + hash = "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0" + date = "2023-07-31" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i } rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3751,13 +5189,35 @@ rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 { } +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_D0EB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Tmel/i +} + + rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -3773,13 +5233,35 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1F15 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200036 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_04A8 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */ @@ -3800,7 +5282,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -3822,7 +5304,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3844,7 +5326,7 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */ @@ -3866,7 +5348,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_D0BD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -3888,7 +5370,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -3910,7 +5392,7 @@ rule PUA_VULN_Renamed_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */ @@ -3928,11 +5410,11 @@ rule PUA_VULN_Renamed_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 { rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -3954,7 +5436,7 @@ rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */ @@ -3978,7 +5460,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdrive hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */ @@ -4001,7 +5483,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -4023,7 +5505,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -4045,7 +5527,7 @@ rule PUA_VULN_Renamed_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalme author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */ @@ -4067,7 +5549,7 @@ rule PUA_VULN_Renamed_Driver_Atszio_Atsziodriver_673B { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -4084,11 +5566,11 @@ rule PUA_VULN_Renamed_Driver_Atszio_Atsziodriver_673B { rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -4100,7 +5582,29 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_D7C7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i } @@ -4110,7 +5614,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4132,7 +5636,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windo author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */ @@ -4154,7 +5658,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4170,47 +5674,25 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE { } -rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_358A { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiseUnlo/i -} - - -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_CE23 { +rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_1E94 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7" - date = "2023-07-14" + hash = "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb" + date = "2023-07-31" score = 70 strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* FileVersion X */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580032002e00300031002e00300037 } /* ProductVersion X */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007000650065006400460061006e } /* ProductName SpeedFan */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310031 } /* LegalCopyright CopyrightAlmicoSoftware */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i } @@ -4220,7 +5702,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_3C18 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -4239,7 +5721,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4255,13 +5737,35 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_3E85 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */ @@ -4283,7 +5787,7 @@ rule PUA_VULN_Renamed_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */ @@ -4305,7 +5809,7 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -4321,34 +5825,13 @@ rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 { } -rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_8E88 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i -} - - rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B54 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -4370,7 +5853,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4393,7 +5876,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_5439 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -4406,13 +5889,57 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_5439 { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_FF1C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003600300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00360030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfoisys_Hwinfoiakerneldriver_33C6 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO64I.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOIAKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e00370032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00370032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* InternalName HWiNFOISYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f002000490041003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOIAKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f003600340049002e005300590053 } /* OriginalFilename HWiNFOISYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100320020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO64I/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4428,13 +5955,57 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7125 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f00330032002f003600340020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_E89C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21" + hash = "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i +} + + rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */ @@ -4456,7 +6027,7 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_P author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */ @@ -4472,13 +6043,35 @@ rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_P } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_8DCE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003500300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00350030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */ @@ -4500,7 +6093,7 @@ rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */ @@ -4523,7 +6116,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */ @@ -4539,13 +6132,35 @@ rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF } +rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_0452 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200030002c00200031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i +} + + rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */ @@ -4567,7 +6182,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -4583,6 +6198,28 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F { } +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_DD62 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d0020004400720069007600650072 } /* FileDescription TrendMicroELAMDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Tmel/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" @@ -4590,7 +6227,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4606,6 +6243,28 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FCA1 { } +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_DB71 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300034002e0030003100300035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i +} + + rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_7E81 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" @@ -4613,7 +6272,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -4625,7 +6284,28 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003800200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6CF1 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310030002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i } @@ -4635,7 +6315,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ @@ -4651,13 +6331,32 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B } +rule PUA_VULN_Renamed_Driver_3F20 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - pchunter.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]7cfb7edf4fe1606f67e5770b5de55177 } /* FileDescription */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8982af7f5176feff0853174eacff0979d1628067099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0037 } /* ProductVersion */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310039002d003200300032003100200041006e00580069006e00530065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CAnXinSecCorporationAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 700KB and all of them and not filename matches /pchunter/i +} + + rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ @@ -4679,7 +6378,7 @@ rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */ @@ -4695,13 +6394,35 @@ rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_119C { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9CA5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200039 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_1DDF { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -4723,7 +6444,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4745,7 +6466,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3D9E { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */ @@ -4767,7 +6488,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -4789,7 +6510,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysy author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */ @@ -4811,7 +6532,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4827,13 +6548,57 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4E54 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003200300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003000390020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_A6F7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e00320030003100320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300031002e0030003700320035002e0032003000310032 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0F01 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -4849,13 +6614,57 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit } +rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxusbmonsys_Virtualboxusbmonitordriver_8A24 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* FileDescription VirtualBoxUSBMonitorDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* InternalName VBoxUSBMonsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020004d006f006e00690074006f00720020004400720069007600650072 } /* ProductName VirtualBoxUSBMonitorDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042004d006f006e002e007300790073 } /* OriginalFilename VBoxUSBMonsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright SunMicrosystemsInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSBMon/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_033C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4878,7 +6687,7 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_47EA { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -4900,7 +6709,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_591B { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */ @@ -4922,7 +6731,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3124 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */ @@ -4938,13 +6747,35 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3124 { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5148 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200033002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003300200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Safenetinc_Hostnt_Hostnt_07B6 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */ @@ -4960,13 +6791,35 @@ rule PUA_VULN_Renamed_Driver_Safenetinc_Hostnt_Hostnt_07B6 { } +rule PUA_VULN_Renamed_Driver_Proxydrvsys_Nn_0B20 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c00330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ProxyDrv/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -4988,7 +6841,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5010,7 +6863,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5032,7 +6885,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -5048,13 +6901,36 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 { } +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_442C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c" + hash = "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e00320030003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300035002e0030003800320035002e0032003000310036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i +} + + rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_9A95 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5073,7 +6949,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CC58 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5095,7 +6971,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5117,7 +6993,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5133,6 +7009,50 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4AC0 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e003900300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00390030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100300020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + +rule PUA_VULN_Renamed_Driver_Logitech_Lgcoretempsys_Lgcoretemp_E0CB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgCoreTemp.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430050005500200043006f00720065002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription CPUCoreTemperatureMonitor */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f006700690074006500630068 } /* CompanyName Logitech */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* InternalName LgCoreTempsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c00670043006f0072006500540065006d0070 } /* ProductName LgCoreTemp */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00670043006f0072006500540065006d0070002e007300790073 } /* OriginalFilename LgCoreTempsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020004c006f006700690074006500630068002c00200049006e0063 } /* LegalCopyright CopyrightLogitechInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LgCoreTemp/i +} + + rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" @@ -5140,7 +7060,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5156,13 +7076,56 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_C64D { } +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtierforwindows_V_7A2C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760033002e003100200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i +} + + +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_16B5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5184,7 +7147,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5206,7 +7169,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_98B7 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */ @@ -5228,7 +7191,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5250,7 +7213,7 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -5268,11 +7231,11 @@ rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecurit rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5284,7 +7247,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i } @@ -5295,7 +7258,7 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_11BD { reference = "https://github.com/magicsword-io/LOLDrivers" hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */ @@ -5311,13 +7274,35 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_11BD { } +rule PUA_VULN_Renamed_Driver_Genitlkiwibenjaminxxxxx_Titidrv_Titidrvtiticatz_208E { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - titidrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007400690074006900640072007600200066006f0072002000570069006e0064006f00770073002000280074006900740069006300610074007a0029 } /* FileDescription titidrvforWindowstiticatz */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* CompanyName genitlkiwiBenjaminXXXXX */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031002e0030002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0074006900740069006400720076 } /* InternalName titidrv */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0074006900740069006400720076002000280074006900740069006300610074007a0029 } /* ProductName titidrvtiticatz */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0074006900740069006400720076002e007300790073 } /* OriginalFilename titidrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003000370020002d00200032003000310037002000670065006e00690074006c006b0069007700690020002800420065006e006a0061006d0069006e0020005800580058005800580029 } /* LegalCopyright CopyrightcgenitlkiwiBenjaminXXXXX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /titidrv/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5339,7 +7324,7 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5355,13 +7340,37 @@ rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 } +rule PUA_VULN_Renamed_Driver_Netfiltersys_79E7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617" + hash = "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed" + hash = "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570059004a00530051002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription WYJSQTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]5b8f56fe65e05fe7 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* InternalName netfiltersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]65e05fe752a0901f56689a7152a865874ef6 } /* ProductName */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e0065007400660069006c0074006500720032002e007300790073 } /* OriginalFilename netfiltersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000770079006a00730071002e0063006f006d } /* LegalCopyright Copyrightwyjsqcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /netfilter2/i +} + + rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5383,7 +7392,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5405,7 +7414,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5427,7 +7436,7 @@ rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochku author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */ @@ -5449,7 +7458,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5471,7 +7480,7 @@ rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyve author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5487,13 +7496,35 @@ rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyve } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7CF7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -5515,7 +7546,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -5531,13 +7562,35 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_828A { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5559,7 +7612,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5581,7 +7634,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5603,7 +7656,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5625,7 +7678,7 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_9254 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */ @@ -5647,7 +7700,7 @@ rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */ @@ -5669,7 +7722,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -5691,7 +7744,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5713,7 +7766,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5735,7 +7788,7 @@ rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_5351 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */ @@ -5746,7 +7799,29 @@ rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_5351 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_1E9C { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7" + hash = "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310030 } /* ProductVersion */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310032002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nicm/i } @@ -5756,7 +7831,7 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -5772,13 +7847,35 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri } +rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_A209 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt/i +} + + rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5800,7 +7897,7 @@ rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddk author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */ @@ -5822,7 +7919,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5844,7 +7941,7 @@ rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryz author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -5866,7 +7963,7 @@ rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_8FE9 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */ @@ -5885,7 +7982,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -5907,7 +8004,7 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ @@ -5923,13 +8020,57 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 { } +rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_0EAB { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e0064007200610020004400650076006900630065002000440072006900760065007200200028007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverxUnicode */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00310038002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00310038002e0031002e0031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d00500072006500730065006e0074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdPresentAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i +} + + +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_D53F { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004400720069007600650072 } /* FileDescription VirtualBoxGuestDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00760062006f007800670075006500730074 } /* InternalName vboxguest */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760062006f007800670075006500730074002e007300790073 } /* OriginalFilename vboxguestsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /vboxguest/i +} + + rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */ @@ -5945,13 +8086,35 @@ rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolib_09BE { } +rule PUA_VULN_Renamed_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* FileDescription HWiNFOKernelDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200450041004c0069005800280074006d0029 } /* CompanyName REALiXtm */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e00330030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* InternalName HWiNFOSYS */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800570069004e0046004f003300320020004b00650072006e0065006c0020004400720069007600650072 } /* ProductName HWiNFOKernelDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800570069004e0046004f00330032002e005300590053 } /* OriginalFilename HWiNFOSYS */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290031003900390039002d00320030003100310020004d0061007200740069006e0020004d0061006c00ed006b0020002d0020005200450041004c00690058 } /* LegalCopyright CopyrightcMartinMalkREALiX */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HWiNFO32/i +} + + rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */ @@ -5967,13 +8130,57 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B { } +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Iprt_Virtualboxguestadditions_BBF5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxMouseNT.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200069003800300034003200200050006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxiPortDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0036002e00320038003200340031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00690038003000340032007000720074 } /* InternalName iprt */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f00780020004700750065007300740020004100640064006900740069006f006e0073 } /* ProductName VirtualBoxGuestAdditions */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004d006f007500730065004e0054002e007300790073 } /* OriginalFilename VBoxMouseNTsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300034002d003200300030003700200069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright CopyrightCinnotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxMouseNT/i +} + + +rule PUA_VULN_Renamed_Driver_Proxydrvsys_Nn_C0E7 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]96f7795e004e004e52a0901f5668002d9a7152a87a0b5e8f65874ef6 } /* FileDescription NN */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]96f7795eff086b666c49ff097f517edc6280672f67099650516c53f8 } /* CompanyName */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c0039002c0035002c0033 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035002e0031002e0030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* InternalName ProxyDrvsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]96f7795e004e004e52a0901f5668 } /* ProductName NN */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500072006f00780079004400720076002e007300790073 } /* OriginalFilename ProxyDrvsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000400020005700770077002e004e006e002e0043006f006d } /* LegalCopyright CopyrightWwwNnCom */ + condition: + uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /ProxyDrv/i +} + + rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -5995,7 +8202,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ @@ -6011,13 +8218,35 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F42E { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -6039,7 +8268,7 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */ @@ -6055,13 +8284,35 @@ rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C { } +rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_B9AE { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i +} + + rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */ @@ -6077,13 +8328,78 @@ rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 { } +rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_38D6 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200034002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310033002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i +} + + +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_B205 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys " + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkiow8x64/i +} + + +rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtierforwindows_V_CA34 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00760032002e003000200028003200300030003600300038003000380029 } /* ProductVersion v */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c00200058005400690065007200200066006f0072002000570069006e0064006f00770073 } /* ProductName NovellXTierforWindows */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390037002d00320030003000370020004e006f00760065006c006c002c00200049006e0063002e } /* LegalCopyright CopyrightNovellInc */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i +} + + rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */ @@ -6105,7 +8421,7 @@ rule PUA_VULN_Renamed_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceve author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */ @@ -6121,13 +8437,57 @@ rule PUA_VULN_Renamed_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceve } +rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_EAA5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055002d005a0020004400720069007600650072 } /* FileDescription CPUZDriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i +} + + +rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_8EF5 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e00320030003100350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300032002e0030003100310036002e0032003000310035 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f0044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio/i and not filename matches /rtkio64/i and not filename matches /rtkiow8x64/i and not filename matches /rtkiow10x64/i +} + + rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */ @@ -6149,7 +8509,7 @@ rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_372 author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */ @@ -6171,7 +8531,7 @@ rule PUA_VULN_Renamed_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardware author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */ @@ -6187,35 +8547,13 @@ rule PUA_VULN_Renamed_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardware } -rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_CF69 { - meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" - author = "Florian Roth" - reference = "https://github.com/magicsword-io/LOLDrivers" - hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" - date = "2023-07-14" - score = 70 - strings: - $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */ - $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */ - $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */ - $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */ - $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */ - $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */ - $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */ - $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */ - condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /EIO/i -} - - rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */ @@ -6231,13 +8569,35 @@ rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredri } +rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantimalwaredriver_E505 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200045004c0041004d00200044007200690076006500720020002800360034002d0042006900740029 } /* FileDescription TrendMicroELAMDriverBit */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000300034 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* InternalName Tmelsys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f0020004500610072006c00790020004c00610075006e0063006800200041006e00740069002d004d0061006c00770061007200650020004400720069007600650072 } /* ProductName TrendMicroEarlyLaunchAntiMalwareDriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0065006c002e007300790073 } /* OriginalFilename Tmelsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Tmel/i +} + + rule PUA_VULN_Renamed_Driver_Logmeininc_Lmiinfosys_Logmein_453B { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */ @@ -6255,11 +8615,11 @@ rule PUA_VULN_Renamed_Driver_Logmeininc_Lmiinfosys_Logmein_453B { rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { meta: - description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys" + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */ @@ -6271,7 +8631,29 @@ rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 { $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ condition: - uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + +rule PUA_VULN_Renamed_Driver_Innotekgmbh_Vboxusbsys_Virtualboxusbdriver_C509 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* FileDescription VirtualBoxUSBdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* CompanyName innotekGmbH */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300031 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300031 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* InternalName VBoxUSBSys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072007400750061006c0042006f007800200055005300420020006400720069007600650072 } /* ProductName VirtualBoxUSBdriver */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078005500530042002e005300790073 } /* OriginalFilename VBoxUSBSys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0069006e006e006f00740065006b00200047006d00620048 } /* LegalCopyright innotekGmbH */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VBoxUSB/i } @@ -6281,7 +8663,7 @@ rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfor author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */ @@ -6303,7 +8685,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6325,7 +8707,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */ @@ -6347,7 +8729,7 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */ @@ -6363,13 +8745,35 @@ rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 { } +rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_AF16 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* FileVersion */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200032002c00200030002c00200030 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003200200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i +} + + rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_FF96 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */ @@ -6391,7 +8795,7 @@ rule PUA_VULN_Renamed_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */ @@ -6413,7 +8817,7 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */ @@ -6429,13 +8833,35 @@ rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 { } +rule PUA_VULN_Renamed_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42 { + meta: + description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys" + author = "Florian Roth" + reference = "https://github.com/magicsword-io/LOLDrivers" + hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" + date = "2023-07-31" + score = 70 + strings: + $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0065007400460069006c007400650072002000530044004b002000540044004900200048006f006f006b0020004400720069007600650072002000280057005000500029 } /* FileDescription NetFilterSDKTDIHookDriverWPP */ + $ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* CompanyName NetFilterSDKcom */ + $ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0039002e00380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */ + $ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0038002e0039 } /* ProductVersion */ + $ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* InternalName LgDCatchersys */ + $ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0065007400460069006c007400650072002000530044004b } /* ProductName NetFilterSDK */ + $ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c006700440043006100740063006800650072002e007300790073 } /* OriginalFilename LgDCatchersys */ + $ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020003f0020004e0065007400460069006c00740065007200530044004b002e0063006f006d } /* LegalCopyright CopyrightNetFilterSDKcom */ + condition: + uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LgDCatcher/i +} + + rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 { meta: description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */ @@ -6457,7 +8883,7 @@ rule PUA_VULN_Renamed_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemser author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */ @@ -6479,7 +8905,7 @@ rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F { author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */ @@ -6501,7 +8927,7 @@ rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processex author = "Florian Roth" reference = "https://github.com/magicsword-io/LOLDrivers" hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - date = "2023-07-14" + date = "2023-07-31" score = 70 strings: $ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */ diff --git a/yaml/0258df5c-c3c1-4ed5-ba8f-846d91526ffe.yaml b/yaml/0258df5c-c3c1-4ed5-ba8f-846d91526ffe.yaml index 94cd54510..faa82f23a 100644 --- a/yaml/0258df5c-c3c1-4ed5-ba8f-846d91526ffe.yaml +++ b/yaml/0258df5c-c3c1-4ed5-ba8f-846d91526ffe.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 0258df5c-c3c1-4ed5-ba8f-846d91526ffe KnownVulnerableSamples: - Authentihash: diff --git a/yaml/02e4a30f-8aa8-4ff0-8e02-1bff1d0f088f.yaml b/yaml/02e4a30f-8aa8-4ff0-8e02-1bff1d0f088f.yaml index 593fe296f..0d5eeb094 100644 --- a/yaml/02e4a30f-8aa8-4ff0-8e02-1bff1d0f088f.yaml +++ b/yaml/02e4a30f-8aa8-4ff0-8e02-1bff1d0f088f.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 02e4a30f-8aa8-4ff0-8e02-1bff1d0f088f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/04d377f9-36e0-42a4-8d47-62232163dc68.yaml b/yaml/04d377f9-36e0-42a4-8d47-62232163dc68.yaml index d861855da..ce05dae30 100644 --- a/yaml/04d377f9-36e0-42a4-8d47-62232163dc68.yaml +++ b/yaml/04d377f9-36e0-42a4-8d47-62232163dc68.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 04d377f9-36e0-42a4-8d47-62232163dc68 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/080a834f-3e19-4cae-b940-a4ecf901db28.yaml b/yaml/080a834f-3e19-4cae-b940-a4ecf901db28.yaml index b7b7491fe..93fb19b6f 100644 --- a/yaml/080a834f-3e19-4cae-b940-a4ecf901db28.yaml +++ b/yaml/080a834f-3e19-4cae-b940-a4ecf901db28.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 080a834f-3e19-4cae-b940-a4ecf901db28 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/080ff223-f8e0-49c0-a7b5-e97349cf81a0.yaml b/yaml/080ff223-f8e0-49c0-a7b5-e97349cf81a0.yaml index 82965761c..b0c5e5ee6 100644 --- a/yaml/080ff223-f8e0-49c0-a7b5-e97349cf81a0.yaml +++ b/yaml/080ff223-f8e0-49c0-a7b5-e97349cf81a0.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 080ff223-f8e0-49c0-a7b5-e97349cf81a0 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/0baa833c-e4e1-449e-86ee-cafeb11f5fd5.yaml b/yaml/0baa833c-e4e1-449e-86ee-cafeb11f5fd5.yaml index b4ab315fa..8d9d8da68 100644 --- a/yaml/0baa833c-e4e1-449e-86ee-cafeb11f5fd5.yaml +++ b/yaml/0baa833c-e4e1-449e-86ee-cafeb11f5fd5.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 0baa833c-e4e1-449e-86ee-cafeb11f5fd5 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/0e3b0052-18c7-4c8b-a064-a1332df07af2.yaml b/yaml/0e3b0052-18c7-4c8b-a064-a1332df07af2.yaml index 45e5f7cb4..fa16c4d60 100644 --- a/yaml/0e3b0052-18c7-4c8b-a064-a1332df07af2.yaml +++ b/yaml/0e3b0052-18c7-4c8b-a064-a1332df07af2.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 0e3b0052-18c7-4c8b-a064-a1332df07af2 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/0f59ce3b-20ac-41ba-8010-2abc74827eb8.yaml b/yaml/0f59ce3b-20ac-41ba-8010-2abc74827eb8.yaml index 01bac3c1c..8737792c1 100644 --- a/yaml/0f59ce3b-20ac-41ba-8010-2abc74827eb8.yaml +++ b/yaml/0f59ce3b-20ac-41ba-8010-2abc74827eb8.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 0f59ce3b-20ac-41ba-8010-2abc74827eb8 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/0f8e317e-ad2b-4b02-9f96-603bb8d28604.yaml b/yaml/0f8e317e-ad2b-4b02-9f96-603bb8d28604.yaml index dd6b335a2..94766fe61 100644 --- a/yaml/0f8e317e-ad2b-4b02-9f96-603bb8d28604.yaml +++ b/yaml/0f8e317e-ad2b-4b02-9f96-603bb8d28604.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 0f8e317e-ad2b-4b02-9f96-603bb8d28604 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/127cde1d-905e-4c67-a2c3-04ea4deaea7d.yaml b/yaml/127cde1d-905e-4c67-a2c3-04ea4deaea7d.yaml index cbbb3c49c..155d7eabc 100644 --- a/yaml/127cde1d-905e-4c67-a2c3-04ea4deaea7d.yaml +++ b/yaml/127cde1d-905e-4c67-a2c3-04ea4deaea7d.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 127cde1d-905e-4c67-a2c3-04ea4deaea7d KnownVulnerableSamples: - Authentihash: diff --git a/yaml/137daca4-0d7b-48aa-8574-f7eb6ad02526.yaml b/yaml/137daca4-0d7b-48aa-8574-f7eb6ad02526.yaml index fcc64693b..0a9a84419 100644 --- a/yaml/137daca4-0d7b-48aa-8574-f7eb6ad02526.yaml +++ b/yaml/137daca4-0d7b-48aa-8574-f7eb6ad02526.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 137daca4-0d7b-48aa-8574-f7eb6ad02526 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/17cf4fac-88f1-467d-9f62-481d33accc5b.yaml b/yaml/17cf4fac-88f1-467d-9f62-481d33accc5b.yaml index a2be74dd9..b2f680735 100644 --- a/yaml/17cf4fac-88f1-467d-9f62-481d33accc5b.yaml +++ b/yaml/17cf4fac-88f1-467d-9f62-481d33accc5b.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 17cf4fac-88f1-467d-9f62-481d33accc5b KnownVulnerableSamples: - Authentihash: diff --git a/yaml/19003e00-d42d-4cbe-91f3-756451bdd7da.yaml b/yaml/19003e00-d42d-4cbe-91f3-756451bdd7da.yaml index 5b075fc4c..69256782e 100644 --- a/yaml/19003e00-d42d-4cbe-91f3-756451bdd7da.yaml +++ b/yaml/19003e00-d42d-4cbe-91f3-756451bdd7da.yaml @@ -11,7 +11,17 @@ Commands: Privileges: kernel Usecase: Elevate privileges Created: '2023-01-09' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 19003e00-d42d-4cbe-91f3-756451bdd7da KnownVulnerableSamples: - Company: '' diff --git a/yaml/19d16518-4aee-4983-ba89-dbbe0fa8a3e7.yaml b/yaml/19d16518-4aee-4983-ba89-dbbe0fa8a3e7.yaml index f0c504bd2..12ccf749a 100644 --- a/yaml/19d16518-4aee-4983-ba89-dbbe0fa8a3e7.yaml +++ b/yaml/19d16518-4aee-4983-ba89-dbbe0fa8a3e7.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 19d16518-4aee-4983-ba89-dbbe0fa8a3e7 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/1aeb1205-8b02-42b6-a563-b953ea337c19.yaml b/yaml/1aeb1205-8b02-42b6-a563-b953ea337c19.yaml index 791b7f404..4da67070b 100644 --- a/yaml/1aeb1205-8b02-42b6-a563-b953ea337c19.yaml +++ b/yaml/1aeb1205-8b02-42b6-a563-b953ea337c19.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 1aeb1205-8b02-42b6-a563-b953ea337c19 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/1c6e1d3b-f825-4065-9e0c-83386883e40f.yaml b/yaml/1c6e1d3b-f825-4065-9e0c-83386883e40f.yaml index 555af42df..2f2c60d6c 100644 --- a/yaml/1c6e1d3b-f825-4065-9e0c-83386883e40f.yaml +++ b/yaml/1c6e1d3b-f825-4065-9e0c-83386883e40f.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 1c6e1d3b-f825-4065-9e0c-83386883e40f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/1c7631f0-f92f-4be5-8ba7-3eefb0601d45.yaml b/yaml/1c7631f0-f92f-4be5-8ba7-3eefb0601d45.yaml index b6360b4e5..9bea920f8 100644 --- a/yaml/1c7631f0-f92f-4be5-8ba7-3eefb0601d45.yaml +++ b/yaml/1c7631f0-f92f-4be5-8ba7-3eefb0601d45.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 1c7631f0-f92f-4be5-8ba7-3eefb0601d45 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/1d2cdef1-de44-4849-80e5-e2fa288df681.yaml b/yaml/1d2cdef1-de44-4849-80e5-e2fa288df681.yaml index ccaf579c9..6b0c12fc4 100644 --- a/yaml/1d2cdef1-de44-4849-80e5-e2fa288df681.yaml +++ b/yaml/1d2cdef1-de44-4849-80e5-e2fa288df681.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 1d2cdef1-de44-4849-80e5-e2fa288df681 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/20076ebf-4427-4056-b035-5238f95debe9.yaml b/yaml/20076ebf-4427-4056-b035-5238f95debe9.yaml index b92c4cd04..99915022f 100644 --- a/yaml/20076ebf-4427-4056-b035-5238f95debe9.yaml +++ b/yaml/20076ebf-4427-4056-b035-5238f95debe9.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 20076ebf-4427-4056-b035-5238f95debe9 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/205721b7-b83b-414a-b4b5-8bacb4a37777.yaml b/yaml/205721b7-b83b-414a-b4b5-8bacb4a37777.yaml index 3728a9632..bdb92823d 100644 --- a/yaml/205721b7-b83b-414a-b4b5-8bacb4a37777.yaml +++ b/yaml/205721b7-b83b-414a-b4b5-8bacb4a37777.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 205721b7-b83b-414a-b4b5-8bacb4a37777 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/213676bb-ffb9-4d0d-a442-8cefee63acc1.yaml b/yaml/213676bb-ffb9-4d0d-a442-8cefee63acc1.yaml index 589fd7e58..1f2a70b52 100644 --- a/yaml/213676bb-ffb9-4d0d-a442-8cefee63acc1.yaml +++ b/yaml/213676bb-ffb9-4d0d-a442-8cefee63acc1.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 213676bb-ffb9-4d0d-a442-8cefee63acc1 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/2225128d-a23f-434a-aaee-69a88ea64fbd.yaml b/yaml/2225128d-a23f-434a-aaee-69a88ea64fbd.yaml index 821766a97..9695f506d 100644 --- a/yaml/2225128d-a23f-434a-aaee-69a88ea64fbd.yaml +++ b/yaml/2225128d-a23f-434a-aaee-69a88ea64fbd.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 2225128d-a23f-434a-aaee-69a88ea64fbd KnownVulnerableSamples: - Authentihash: diff --git a/yaml/22aa985b-5fdb-4e38-9382-a496220c27ec.yaml b/yaml/22aa985b-5fdb-4e38-9382-a496220c27ec.yaml index 74f595ce9..9dcdd2832 100644 --- a/yaml/22aa985b-5fdb-4e38-9382-a496220c27ec.yaml +++ b/yaml/22aa985b-5fdb-4e38-9382-a496220c27ec.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 22aa985b-5fdb-4e38-9382-a496220c27ec KnownVulnerableSamples: - Authentihash: diff --git a/yaml/23f11e19-0776-4dd4-9c9c-7f6b60f8553f.yaml b/yaml/23f11e19-0776-4dd4-9c9c-7f6b60f8553f.yaml index d8a884b04..ace76e1e7 100644 --- a/yaml/23f11e19-0776-4dd4-9c9c-7f6b60f8553f.yaml +++ b/yaml/23f11e19-0776-4dd4-9c9c-7f6b60f8553f.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 23f11e19-0776-4dd4-9c9c-7f6b60f8553f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/24fb7bab-b8c3-46ea-a370-c84d2f0ff614.yaml b/yaml/24fb7bab-b8c3-46ea-a370-c84d2f0ff614.yaml index 2d0ffa74a..6e1e17ac0 100644 --- a/yaml/24fb7bab-b8c3-46ea-a370-c84d2f0ff614.yaml +++ b/yaml/24fb7bab-b8c3-46ea-a370-c84d2f0ff614.yaml @@ -26,6 +26,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 24fb7bab-b8c3-46ea-a370-c84d2f0ff614 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/2b949a0d-939f-456a-a34f-4589d7712227.yaml b/yaml/2b949a0d-939f-456a-a34f-4589d7712227.yaml index 9e69125f0..8d3a9c9b1 100644 --- a/yaml/2b949a0d-939f-456a-a34f-4589d7712227.yaml +++ b/yaml/2b949a0d-939f-456a-a34f-4589d7712227.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 2b949a0d-939f-456a-a34f-4589d7712227 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/2bea1bca-753c-4f09-bc9f-566ab0193f4a.yaml b/yaml/2bea1bca-753c-4f09-bc9f-566ab0193f4a.yaml index 358227b46..dea64ef42 100644 --- a/yaml/2bea1bca-753c-4f09-bc9f-566ab0193f4a.yaml +++ b/yaml/2bea1bca-753c-4f09-bc9f-566ab0193f4a.yaml @@ -34,6 +34,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 2bea1bca-753c-4f09-bc9f-566ab0193f4a KnownVulnerableSamples: - Authentihash: diff --git a/yaml/2c3884d3-9e4f-4519-b18b-0969612621bc.yaml b/yaml/2c3884d3-9e4f-4519-b18b-0969612621bc.yaml index 758907517..985a99267 100644 --- a/yaml/2c3884d3-9e4f-4519-b18b-0969612621bc.yaml +++ b/yaml/2c3884d3-9e4f-4519-b18b-0969612621bc.yaml @@ -11,7 +11,17 @@ Commands: Privileges: kernel Usecase: Denial of Service Created: '2023-04-15' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 2c3884d3-9e4f-4519-b18b-0969612621bc KnownVulnerableSamples: - Authentihash: diff --git a/yaml/2e4fedb0-30ed-400d-b4e1-b2b2004c1607.yaml b/yaml/2e4fedb0-30ed-400d-b4e1-b2b2004c1607.yaml index b303ae4ee..e6b97b9d3 100644 --- a/yaml/2e4fedb0-30ed-400d-b4e1-b2b2004c1607.yaml +++ b/yaml/2e4fedb0-30ed-400d-b4e1-b2b2004c1607.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 2e4fedb0-30ed-400d-b4e1-b2b2004c1607 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/31686f0e-3748-48c2-be09-fc8f3252e780.yaml b/yaml/31686f0e-3748-48c2-be09-fc8f3252e780.yaml index bce43b7cb..37f755678 100644 --- a/yaml/31686f0e-3748-48c2-be09-fc8f3252e780.yaml +++ b/yaml/31686f0e-3748-48c2-be09-fc8f3252e780.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 31686f0e-3748-48c2-be09-fc8f3252e780 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/31797996-6973-402d-a4a0-d01ce51e02c0.yaml b/yaml/31797996-6973-402d-a4a0-d01ce51e02c0.yaml index 75f86bc7e..f02c3e8fb 100644 --- a/yaml/31797996-6973-402d-a4a0-d01ce51e02c0.yaml +++ b/yaml/31797996-6973-402d-a4a0-d01ce51e02c0.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 31797996-6973-402d-a4a0-d01ce51e02c0 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/3277cecc-f4b4-4a00-be01-9da83e013bcd.yaml b/yaml/3277cecc-f4b4-4a00-be01-9da83e013bcd.yaml index 760daa0e8..ed5fb1393 100644 --- a/yaml/3277cecc-f4b4-4a00-be01-9da83e013bcd.yaml +++ b/yaml/3277cecc-f4b4-4a00-be01-9da83e013bcd.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 3277cecc-f4b4-4a00-be01-9da83e013bcd KnownVulnerableSamples: - Authentihash: diff --git a/yaml/32ccd436-eb13-4ab3-83d4-3e5471f4e364.yaml b/yaml/32ccd436-eb13-4ab3-83d4-3e5471f4e364.yaml index f2244e160..0891593d3 100644 --- a/yaml/32ccd436-eb13-4ab3-83d4-3e5471f4e364.yaml +++ b/yaml/32ccd436-eb13-4ab3-83d4-3e5471f4e364.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 32ccd436-eb13-4ab3-83d4-3e5471f4e364 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/33a9c9ae-5ca3-442d-9f0f-2615637c1c57.yaml b/yaml/33a9c9ae-5ca3-442d-9f0f-2615637c1c57.yaml index 0ed1bc54d..a4e5fcbe8 100644 --- a/yaml/33a9c9ae-5ca3-442d-9f0f-2615637c1c57.yaml +++ b/yaml/33a9c9ae-5ca3-442d-9f0f-2615637c1c57.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 33a9c9ae-5ca3-442d-9f0f-2615637c1c57 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/351ff5ca-f07b-4eb6-9300-d5d31514defb.yaml b/yaml/351ff5ca-f07b-4eb6-9300-d5d31514defb.yaml index ada2d42e1..ca16dd352 100644 --- a/yaml/351ff5ca-f07b-4eb6-9300-d5d31514defb.yaml +++ b/yaml/351ff5ca-f07b-4eb6-9300-d5d31514defb.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 351ff5ca-f07b-4eb6-9300-d5d31514defb KnownVulnerableSamples: - Authentihash: diff --git a/yaml/39742f99-2180-46d7-8538-56667c935cc3.yaml b/yaml/39742f99-2180-46d7-8538-56667c935cc3.yaml index f49728bd9..c6aaa2859 100644 --- a/yaml/39742f99-2180-46d7-8538-56667c935cc3.yaml +++ b/yaml/39742f99-2180-46d7-8538-56667c935cc3.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 39742f99-2180-46d7-8538-56667c935cc3 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/3ab0d182-6365-47a7-89f4-34121e889503.yaml b/yaml/3ab0d182-6365-47a7-89f4-34121e889503.yaml index 23abc8be2..b2ebfdb74 100644 --- a/yaml/3ab0d182-6365-47a7-89f4-34121e889503.yaml +++ b/yaml/3ab0d182-6365-47a7-89f4-34121e889503.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 3ab0d182-6365-47a7-89f4-34121e889503 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/3ac0eda2-a844-4a9d-9cfa-c25a9e05d678.yaml b/yaml/3ac0eda2-a844-4a9d-9cfa-c25a9e05d678.yaml index 429e3cc35..17ad45871 100644 --- a/yaml/3ac0eda2-a844-4a9d-9cfa-c25a9e05d678.yaml +++ b/yaml/3ac0eda2-a844-4a9d-9cfa-c25a9e05d678.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 3ac0eda2-a844-4a9d-9cfa-c25a9e05d678 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/3bc629e8-7bf8-40c2-965b-87eb155e0065.yaml b/yaml/3bc629e8-7bf8-40c2-965b-87eb155e0065.yaml index d0901e255..d84c4caab 100644 --- a/yaml/3bc629e8-7bf8-40c2-965b-87eb155e0065.yaml +++ b/yaml/3bc629e8-7bf8-40c2-965b-87eb155e0065.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 3bc629e8-7bf8-40c2-965b-87eb155e0065 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/3e0bf6dc-791b-4170-8c40-427e7299d93d.yaml b/yaml/3e0bf6dc-791b-4170-8c40-427e7299d93d.yaml index 9669e80fb..291ff436a 100644 --- a/yaml/3e0bf6dc-791b-4170-8c40-427e7299d93d.yaml +++ b/yaml/3e0bf6dc-791b-4170-8c40-427e7299d93d.yaml @@ -30,6 +30,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 3e0bf6dc-791b-4170-8c40-427e7299d93d KnownVulnerableSamples: - Authentihash: diff --git a/yaml/3f39af20-802a-4909-a5de-7f6fe7aab350.yaml b/yaml/3f39af20-802a-4909-a5de-7f6fe7aab350.yaml index 465bc9165..36e81faa7 100644 --- a/yaml/3f39af20-802a-4909-a5de-7f6fe7aab350.yaml +++ b/yaml/3f39af20-802a-4909-a5de-7f6fe7aab350.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 3f39af20-802a-4909-a5de-7f6fe7aab350 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/40bfb01b-d251-4c2c-952e-052a89a76f5b.yaml b/yaml/40bfb01b-d251-4c2c-952e-052a89a76f5b.yaml index e398b6b3d..44b84bf40 100644 --- a/yaml/40bfb01b-d251-4c2c-952e-052a89a76f5b.yaml +++ b/yaml/40bfb01b-d251-4c2c-952e-052a89a76f5b.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 40bfb01b-d251-4c2c-952e-052a89a76f5b KnownVulnerableSamples: - Authentihash: diff --git a/yaml/43d0af25-c066-471f-bb73-6ce25dc7e0eb.yaml b/yaml/43d0af25-c066-471f-bb73-6ce25dc7e0eb.yaml index 03f8d60c4..a8de713a1 100644 --- a/yaml/43d0af25-c066-471f-bb73-6ce25dc7e0eb.yaml +++ b/yaml/43d0af25-c066-471f-bb73-6ce25dc7e0eb.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 43d0af25-c066-471f-bb73-6ce25dc7e0eb KnownVulnerableSamples: - Authentihash: diff --git a/yaml/47724cc1-bf75-4ab7-a47a-355a9aa30de1.yaml b/yaml/47724cc1-bf75-4ab7-a47a-355a9aa30de1.yaml index 288d706e5..fdb5768bb 100644 --- a/yaml/47724cc1-bf75-4ab7-a47a-355a9aa30de1.yaml +++ b/yaml/47724cc1-bf75-4ab7-a47a-355a9aa30de1.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 47724cc1-bf75-4ab7-a47a-355a9aa30de1 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/47a351ee-8abe-40d8-bc2b-557390fa0945.yaml b/yaml/47a351ee-8abe-40d8-bc2b-557390fa0945.yaml index 99e37b1ea..cf6e66117 100644 --- a/yaml/47a351ee-8abe-40d8-bc2b-557390fa0945.yaml +++ b/yaml/47a351ee-8abe-40d8-bc2b-557390fa0945.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 47a351ee-8abe-40d8-bc2b-557390fa0945 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/47fe1aaf-02cd-4a41-8bf5-0047015a2a6e.yaml b/yaml/47fe1aaf-02cd-4a41-8bf5-0047015a2a6e.yaml index a0c4c1e89..b982a011e 100644 --- a/yaml/47fe1aaf-02cd-4a41-8bf5-0047015a2a6e.yaml +++ b/yaml/47fe1aaf-02cd-4a41-8bf5-0047015a2a6e.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 47fe1aaf-02cd-4a41-8bf5-0047015a2a6e KnownVulnerableSamples: - Authentihash: diff --git a/yaml/48bc2815-85ec-4436-a51a-69810c8cb171.yaml b/yaml/48bc2815-85ec-4436-a51a-69810c8cb171.yaml index 9eb37c682..f69a65871 100644 --- a/yaml/48bc2815-85ec-4436-a51a-69810c8cb171.yaml +++ b/yaml/48bc2815-85ec-4436-a51a-69810c8cb171.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 48bc2815-85ec-4436-a51a-69810c8cb171 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/4a80da66-f8f1-4af9-ba56-696cfe6c1e10.yaml b/yaml/4a80da66-f8f1-4af9-ba56-696cfe6c1e10.yaml index 6b20c269d..23c5fb857 100644 --- a/yaml/4a80da66-f8f1-4af9-ba56-696cfe6c1e10.yaml +++ b/yaml/4a80da66-f8f1-4af9-ba56-696cfe6c1e10.yaml @@ -26,6 +26,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 4a80da66-f8f1-4af9-ba56-696cfe6c1e10 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/4d365dd0-34c3-492e-a2bd-c16266796ae5.yaml b/yaml/4d365dd0-34c3-492e-a2bd-c16266796ae5.yaml index 21b874d3c..5750e31b3 100644 --- a/yaml/4d365dd0-34c3-492e-a2bd-c16266796ae5.yaml +++ b/yaml/4d365dd0-34c3-492e-a2bd-c16266796ae5.yaml @@ -26,6 +26,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 4d365dd0-34c3-492e-a2bd-c16266796ae5 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/4db827b1-325b-444d-9f23-171285a4d12f.yaml b/yaml/4db827b1-325b-444d-9f23-171285a4d12f.yaml index ef259c91d..ba724ef4e 100644 --- a/yaml/4db827b1-325b-444d-9f23-171285a4d12f.yaml +++ b/yaml/4db827b1-325b-444d-9f23-171285a4d12f.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 4db827b1-325b-444d-9f23-171285a4d12f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/51c342f3-0b91-4674-8f81-bc016855f30f.yaml b/yaml/51c342f3-0b91-4674-8f81-bc016855f30f.yaml index 4e8c7c662..2758f4a32 100644 --- a/yaml/51c342f3-0b91-4674-8f81-bc016855f30f.yaml +++ b/yaml/51c342f3-0b91-4674-8f81-bc016855f30f.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 51c342f3-0b91-4674-8f81-bc016855f30f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/54d67d79-0268-4c5f-be7e-0f74cd20828a.yaml b/yaml/54d67d79-0268-4c5f-be7e-0f74cd20828a.yaml index c19ed7b98..1d1826b9d 100644 --- a/yaml/54d67d79-0268-4c5f-be7e-0f74cd20828a.yaml +++ b/yaml/54d67d79-0268-4c5f-be7e-0f74cd20828a.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 54d67d79-0268-4c5f-be7e-0f74cd20828a KnownVulnerableSamples: - Authentihash: diff --git a/yaml/57f63efb-dc43-4dba-9413-173e3e4be750.yaml b/yaml/57f63efb-dc43-4dba-9413-173e3e4be750.yaml index 911bda565..e2225dc22 100644 --- a/yaml/57f63efb-dc43-4dba-9413-173e3e4be750.yaml +++ b/yaml/57f63efb-dc43-4dba-9413-173e3e4be750.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 57f63efb-dc43-4dba-9413-173e3e4be750 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/57fc510a-e649-4599-b83e-8f3605e3d1d9.yaml b/yaml/57fc510a-e649-4599-b83e-8f3605e3d1d9.yaml index 6f25f7cea..41328208a 100644 --- a/yaml/57fc510a-e649-4599-b83e-8f3605e3d1d9.yaml +++ b/yaml/57fc510a-e649-4599-b83e-8f3605e3d1d9.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 57fc510a-e649-4599-b83e-8f3605e3d1d9 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/5943b267-64f3-40d4-8669-354f23dec122.yaml b/yaml/5943b267-64f3-40d4-8669-354f23dec122.yaml index 46f4ce2b2..4d7a14860 100644 --- a/yaml/5943b267-64f3-40d4-8669-354f23dec122.yaml +++ b/yaml/5943b267-64f3-40d4-8669-354f23dec122.yaml @@ -30,6 +30,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 5943b267-64f3-40d4-8669-354f23dec122 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/5961e133-ccc3-4530-8f4f-5d975c41028d.yaml b/yaml/5961e133-ccc3-4530-8f4f-5d975c41028d.yaml index 2703327f0..670bb3ec9 100644 --- a/yaml/5961e133-ccc3-4530-8f4f-5d975c41028d.yaml +++ b/yaml/5961e133-ccc3-4530-8f4f-5d975c41028d.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 5961e133-ccc3-4530-8f4f-5d975c41028d KnownVulnerableSamples: - Authentihash: diff --git a/yaml/5969b6dc-b136-480e-a527-3cb2ea2f0da9.yaml b/yaml/5969b6dc-b136-480e-a527-3cb2ea2f0da9.yaml index 7fcb7efd0..a90f30c3b 100644 --- a/yaml/5969b6dc-b136-480e-a527-3cb2ea2f0da9.yaml +++ b/yaml/5969b6dc-b136-480e-a527-3cb2ea2f0da9.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 5969b6dc-b136-480e-a527-3cb2ea2f0da9 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/5a03dc5a-115d-4d6f-b5b5-685f4c014a69.yaml b/yaml/5a03dc5a-115d-4d6f-b5b5-685f4c014a69.yaml index 857ea75a2..37274a606 100644 --- a/yaml/5a03dc5a-115d-4d6f-b5b5-685f4c014a69.yaml +++ b/yaml/5a03dc5a-115d-4d6f-b5b5-685f4c014a69.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 5a03dc5a-115d-4d6f-b5b5-685f4c014a69 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c.yaml b/yaml/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c.yaml index 7765a88fe..5f496fdf6 100644 --- a/yaml/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c.yaml +++ b/yaml/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c KnownVulnerableSamples: - Authentihash: diff --git a/yaml/5af9abf0-d8de-4e9b-8141-e9e97a31901a.yaml b/yaml/5af9abf0-d8de-4e9b-8141-e9e97a31901a.yaml index b1b3e4725..707491cf3 100644 --- a/yaml/5af9abf0-d8de-4e9b-8141-e9e97a31901a.yaml +++ b/yaml/5af9abf0-d8de-4e9b-8141-e9e97a31901a.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 5af9abf0-d8de-4e9b-8141-e9e97a31901a KnownVulnerableSamples: - Authentihash: diff --git a/yaml/5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae.yaml b/yaml/5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae.yaml index e0d5df2aa..0e22c0af6 100644 --- a/yaml/5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae.yaml +++ b/yaml/5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae KnownVulnerableSamples: - Authentihash: diff --git a/yaml/61514cbd-6f34-4a3e-a022-9ecbccc16feb.yaml b/yaml/61514cbd-6f34-4a3e-a022-9ecbccc16feb.yaml index cd681581f..5c0f714cb 100644 --- a/yaml/61514cbd-6f34-4a3e-a022-9ecbccc16feb.yaml +++ b/yaml/61514cbd-6f34-4a3e-a022-9ecbccc16feb.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 61514cbd-6f34-4a3e-a022-9ecbccc16feb KnownVulnerableSamples: - Authentihash: diff --git a/yaml/670dc258-78b5-4552-a16b-b41917c86f8d.yaml b/yaml/670dc258-78b5-4552-a16b-b41917c86f8d.yaml index 581c116a7..6bb034ca0 100644 --- a/yaml/670dc258-78b5-4552-a16b-b41917c86f8d.yaml +++ b/yaml/670dc258-78b5-4552-a16b-b41917c86f8d.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 670dc258-78b5-4552-a16b-b41917c86f8d KnownVulnerableSamples: - Authentihash: diff --git a/yaml/6a50e368-1120-434b-9232-1a0702c80437.yaml b/yaml/6a50e368-1120-434b-9232-1a0702c80437.yaml index 77c7e064f..c93b1c14f 100644 --- a/yaml/6a50e368-1120-434b-9232-1a0702c80437.yaml +++ b/yaml/6a50e368-1120-434b-9232-1a0702c80437.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 6a50e368-1120-434b-9232-1a0702c80437 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/6c0c60f0-895d-428a-a8ae-e10390bceb12.yaml b/yaml/6c0c60f0-895d-428a-a8ae-e10390bceb12.yaml index 9474c3769..5c13f083f 100644 --- a/yaml/6c0c60f0-895d-428a-a8ae-e10390bceb12.yaml +++ b/yaml/6c0c60f0-895d-428a-a8ae-e10390bceb12.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 6c0c60f0-895d-428a-a8ae-e10390bceb12 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/6d21df78-d718-44df-b722-99eec654f5b2.yaml b/yaml/6d21df78-d718-44df-b722-99eec654f5b2.yaml index 45699067a..c42cce057 100644 --- a/yaml/6d21df78-d718-44df-b722-99eec654f5b2.yaml +++ b/yaml/6d21df78-d718-44df-b722-99eec654f5b2.yaml @@ -25,6 +25,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 6d21df78-d718-44df-b722-99eec654f5b2 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/6fc3034f-8b40-44ef-807a-f61d3ea2dece.yaml b/yaml/6fc3034f-8b40-44ef-807a-f61d3ea2dece.yaml index f6f046905..d3dcb4c8a 100644 --- a/yaml/6fc3034f-8b40-44ef-807a-f61d3ea2dece.yaml +++ b/yaml/6fc3034f-8b40-44ef-807a-f61d3ea2dece.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 6fc3034f-8b40-44ef-807a-f61d3ea2dece KnownVulnerableSamples: - Authentihash: diff --git a/yaml/705facba-b595-41dd-86a6-93aefe6a6234.yaml b/yaml/705facba-b595-41dd-86a6-93aefe6a6234.yaml index dc552ead0..d94828331 100644 --- a/yaml/705facba-b595-41dd-86a6-93aefe6a6234.yaml +++ b/yaml/705facba-b595-41dd-86a6-93aefe6a6234.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 705facba-b595-41dd-86a6-93aefe6a6234 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/70acea34-7ed2-42d5-885c-eca3c2de640c.yaml b/yaml/70acea34-7ed2-42d5-885c-eca3c2de640c.yaml index 057e9a687..b3b78adb0 100644 --- a/yaml/70acea34-7ed2-42d5-885c-eca3c2de640c.yaml +++ b/yaml/70acea34-7ed2-42d5-885c-eca3c2de640c.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 70acea34-7ed2-42d5-885c-eca3c2de640c KnownVulnerableSamples: - Authentihash: diff --git a/yaml/70fa8606-c147-4c40-8b7a-980290075327.yaml b/yaml/70fa8606-c147-4c40-8b7a-980290075327.yaml index e4fd03dcc..168f867f7 100644 --- a/yaml/70fa8606-c147-4c40-8b7a-980290075327.yaml +++ b/yaml/70fa8606-c147-4c40-8b7a-980290075327.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 70fa8606-c147-4c40-8b7a-980290075327 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/72637cb1-5ca2-4ad0-a5df-20da17b231b5.yaml b/yaml/72637cb1-5ca2-4ad0-a5df-20da17b231b5.yaml index e05c978a0..21e763b7c 100644 --- a/yaml/72637cb1-5ca2-4ad0-a5df-20da17b231b5.yaml +++ b/yaml/72637cb1-5ca2-4ad0-a5df-20da17b231b5.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 72637cb1-5ca2-4ad0-a5df-20da17b231b5 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/73290fcb-a0d7-481e-81a5-65a9859b50f5.yaml b/yaml/73290fcb-a0d7-481e-81a5-65a9859b50f5.yaml index a0010e688..d8e2f3df1 100644 --- a/yaml/73290fcb-a0d7-481e-81a5-65a9859b50f5.yaml +++ b/yaml/73290fcb-a0d7-481e-81a5-65a9859b50f5.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 73290fcb-a0d7-481e-81a5-65a9859b50f5 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/76b5dfae-b384-45ce-8646-b2eec6b76a1e.yaml b/yaml/76b5dfae-b384-45ce-8646-b2eec6b76a1e.yaml index a3cd2546e..87d8065f8 100644 --- a/yaml/76b5dfae-b384-45ce-8646-b2eec6b76a1e.yaml +++ b/yaml/76b5dfae-b384-45ce-8646-b2eec6b76a1e.yaml @@ -30,6 +30,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 76b5dfae-b384-45ce-8646-b2eec6b76a1e KnownVulnerableSamples: - Authentihash: diff --git a/yaml/7bb5ff05-25f8-410d-ae99-c8e8f082d24f.yaml b/yaml/7bb5ff05-25f8-410d-ae99-c8e8f082d24f.yaml index 9b1a6f7d6..dd3230d54 100644 --- a/yaml/7bb5ff05-25f8-410d-ae99-c8e8f082d24f.yaml +++ b/yaml/7bb5ff05-25f8-410d-ae99-c8e8f082d24f.yaml @@ -26,6 +26,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 7bb5ff05-25f8-410d-ae99-c8e8f082d24f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml b/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml index 6033a494c..65ef25368 100644 --- a/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml +++ b/yaml/7ce8fb06-46eb-4f4f-90d5-5518a6561f15.yaml @@ -23,6 +23,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 7ce8fb06-46eb-4f4f-90d5-5518a6561f15 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/7f645b95-4374-47ae-be1a-e4415308b550.yaml b/yaml/7f645b95-4374-47ae-be1a-e4415308b550.yaml index 55f0c228f..51fb68f1f 100644 --- a/yaml/7f645b95-4374-47ae-be1a-e4415308b550.yaml +++ b/yaml/7f645b95-4374-47ae-be1a-e4415308b550.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 7f645b95-4374-47ae-be1a-e4415308b550 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/81a73e57-2e92-4d21-97d3-1c21eb4c3aea.yaml b/yaml/81a73e57-2e92-4d21-97d3-1c21eb4c3aea.yaml index 5dea9f56f..ccfd4bc41 100644 --- a/yaml/81a73e57-2e92-4d21-97d3-1c21eb4c3aea.yaml +++ b/yaml/81a73e57-2e92-4d21-97d3-1c21eb4c3aea.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 81a73e57-2e92-4d21-97d3-1c21eb4c3aea KnownVulnerableSamples: - Authentihash: diff --git a/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml b/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml index 5f29c34c9..94e531466 100644 --- a/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml +++ b/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 855ade1f-8a9e-4c9d-ab8e-d7e409609852 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/86cff0de-2536-4b8d-a846-a7312c569597.yaml b/yaml/86cff0de-2536-4b8d-a846-a7312c569597.yaml index 1c6cf18e5..dc0c96f83 100644 --- a/yaml/86cff0de-2536-4b8d-a846-a7312c569597.yaml +++ b/yaml/86cff0de-2536-4b8d-a846-a7312c569597.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 86cff0de-2536-4b8d-a846-a7312c569597 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/87752fb8-e9f6-4235-91e2-c4343677d817.yaml b/yaml/87752fb8-e9f6-4235-91e2-c4343677d817.yaml index 3fe61684a..918fc9619 100644 --- a/yaml/87752fb8-e9f6-4235-91e2-c4343677d817.yaml +++ b/yaml/87752fb8-e9f6-4235-91e2-c4343677d817.yaml @@ -23,6 +23,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 87752fb8-e9f6-4235-91e2-c4343677d817 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/892292f9-b87c-40a5-80e5-8c9b02914e8b.yaml b/yaml/892292f9-b87c-40a5-80e5-8c9b02914e8b.yaml index 948e14d87..643e7d7ea 100644 --- a/yaml/892292f9-b87c-40a5-80e5-8c9b02914e8b.yaml +++ b/yaml/892292f9-b87c-40a5-80e5-8c9b02914e8b.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 892292f9-b87c-40a5-80e5-8c9b02914e8b KnownVulnerableSamples: - Authentihash: diff --git a/yaml/8ff4ab50-05b7-4bfa-b994-1920c4ed4978.yaml b/yaml/8ff4ab50-05b7-4bfa-b994-1920c4ed4978.yaml index ba0b88ee1..5a996a0a9 100644 --- a/yaml/8ff4ab50-05b7-4bfa-b994-1920c4ed4978.yaml +++ b/yaml/8ff4ab50-05b7-4bfa-b994-1920c4ed4978.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 8ff4ab50-05b7-4bfa-b994-1920c4ed4978 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f.yaml b/yaml/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f.yaml index 49e0749fd..9b4628fef 100644 --- a/yaml/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f.yaml +++ b/yaml/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f.yaml @@ -26,6 +26,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/93740202-930c-4ab4-8603-8ec9532c5415.yaml b/yaml/93740202-930c-4ab4-8603-8ec9532c5415.yaml index 4900eaa50..ead163266 100644 --- a/yaml/93740202-930c-4ab4-8603-8ec9532c5415.yaml +++ b/yaml/93740202-930c-4ab4-8603-8ec9532c5415.yaml @@ -15,7 +15,17 @@ Commands: Privileges: kernel Usecase: Elevate privileges Created: '2023-06-05' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 93740202-930c-4ab4-8603-8ec9532c5415 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/93c84c08-4683-493d-abf7-22dc2d1cb567.yaml b/yaml/93c84c08-4683-493d-abf7-22dc2d1cb567.yaml index b5d004364..37260a724 100644 --- a/yaml/93c84c08-4683-493d-abf7-22dc2d1cb567.yaml +++ b/yaml/93c84c08-4683-493d-abf7-22dc2d1cb567.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 93c84c08-4683-493d-abf7-22dc2d1cb567 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/97fa88f6-3819-4d56-a82c-52a492a9e2b5.yaml b/yaml/97fa88f6-3819-4d56-a82c-52a492a9e2b5.yaml index 3ed54d498..0087d4339 100644 --- a/yaml/97fa88f6-3819-4d56-a82c-52a492a9e2b5.yaml +++ b/yaml/97fa88f6-3819-4d56-a82c-52a492a9e2b5.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 97fa88f6-3819-4d56-a82c-52a492a9e2b5 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/998ed67c-9c20-46ef-a6ba-abc606b540b9.yaml b/yaml/998ed67c-9c20-46ef-a6ba-abc606b540b9.yaml index 38010ee91..a24c4cae5 100644 --- a/yaml/998ed67c-9c20-46ef-a6ba-abc606b540b9.yaml +++ b/yaml/998ed67c-9c20-46ef-a6ba-abc606b540b9.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 998ed67c-9c20-46ef-a6ba-abc606b540b9 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/999a11ae-ec2b-4863-baa4-1384ec2b7339.yaml b/yaml/999a11ae-ec2b-4863-baa4-1384ec2b7339.yaml index 84fb223a2..55a3a6d3f 100644 --- a/yaml/999a11ae-ec2b-4863-baa4-1384ec2b7339.yaml +++ b/yaml/999a11ae-ec2b-4863-baa4-1384ec2b7339.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 999a11ae-ec2b-4863-baa4-1384ec2b7339 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/9a4fb66e-9084-4b21-9d76-a7afbe330606.yaml b/yaml/9a4fb66e-9084-4b21-9d76-a7afbe330606.yaml index 46bc0a534..3d3355d95 100644 --- a/yaml/9a4fb66e-9084-4b21-9d76-a7afbe330606.yaml +++ b/yaml/9a4fb66e-9084-4b21-9d76-a7afbe330606.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 9a4fb66e-9084-4b21-9d76-a7afbe330606 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/9c3c6e89-3916-498f-81e5-da057ab3ed42.yaml b/yaml/9c3c6e89-3916-498f-81e5-da057ab3ed42.yaml index 6ca3004e3..349412288 100644 --- a/yaml/9c3c6e89-3916-498f-81e5-da057ab3ed42.yaml +++ b/yaml/9c3c6e89-3916-498f-81e5-da057ab3ed42.yaml @@ -26,6 +26,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 9c3c6e89-3916-498f-81e5-da057ab3ed42 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/9ca73d04-3349-4c16-9384-94c43335a031.yaml b/yaml/9ca73d04-3349-4c16-9384-94c43335a031.yaml index 8fe8d6a40..f9bb04e2b 100644 --- a/yaml/9ca73d04-3349-4c16-9384-94c43335a031.yaml +++ b/yaml/9ca73d04-3349-4c16-9384-94c43335a031.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 9ca73d04-3349-4c16-9384-94c43335a031 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/9e87b6b0-00ed-4259-bcd7-05e2c924d58c.yaml b/yaml/9e87b6b0-00ed-4259-bcd7-05e2c924d58c.yaml index 528e75915..7843d1f7e 100644 --- a/yaml/9e87b6b0-00ed-4259-bcd7-05e2c924d58c.yaml +++ b/yaml/9e87b6b0-00ed-4259-bcd7-05e2c924d58c.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: 9e87b6b0-00ed-4259-bcd7-05e2c924d58c KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a22104a8-126d-449f-ba3e-28678c60c587.yaml b/yaml/a22104a8-126d-449f-ba3e-28678c60c587.yaml index f3599345e..89519449d 100644 --- a/yaml/a22104a8-126d-449f-ba3e-28678c60c587.yaml +++ b/yaml/a22104a8-126d-449f-ba3e-28678c60c587.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a22104a8-126d-449f-ba3e-28678c60c587 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a261cd64-0d04-4bf5-ad73-f3bb96bf83cf.yaml b/yaml/a261cd64-0d04-4bf5-ad73-f3bb96bf83cf.yaml index a02b37bdf..acca189ff 100644 --- a/yaml/a261cd64-0d04-4bf5-ad73-f3bb96bf83cf.yaml +++ b/yaml/a261cd64-0d04-4bf5-ad73-f3bb96bf83cf.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a261cd64-0d04-4bf5-ad73-f3bb96bf83cf KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a285591e-ad3c-46a3-a648-c58589ff5efc.yaml b/yaml/a285591e-ad3c-46a3-a648-c58589ff5efc.yaml index 94e04868b..fee598cf9 100644 --- a/yaml/a285591e-ad3c-46a3-a648-c58589ff5efc.yaml +++ b/yaml/a285591e-ad3c-46a3-a648-c58589ff5efc.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a285591e-ad3c-46a3-a648-c58589ff5efc KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a33de377-d2c2-4c71-98ca-cd0be8d284f9.yaml b/yaml/a33de377-d2c2-4c71-98ca-cd0be8d284f9.yaml index 0ffc9ec23..31093e625 100644 --- a/yaml/a33de377-d2c2-4c71-98ca-cd0be8d284f9.yaml +++ b/yaml/a33de377-d2c2-4c71-98ca-cd0be8d284f9.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a33de377-d2c2-4c71-98ca-cd0be8d284f9 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f.yaml b/yaml/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f.yaml index cd6270c4d..1386e441f 100644 --- a/yaml/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f.yaml +++ b/yaml/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a5ebba11-5a31-48d2-9c6d-78bba397edf1.yaml b/yaml/a5ebba11-5a31-48d2-9c6d-78bba397edf1.yaml index 6cdd91610..9f43d1872 100644 --- a/yaml/a5ebba11-5a31-48d2-9c6d-78bba397edf1.yaml +++ b/yaml/a5ebba11-5a31-48d2-9c6d-78bba397edf1.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a5ebba11-5a31-48d2-9c6d-78bba397edf1 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0.yaml b/yaml/a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0.yaml index 93ec12eb1..b6cadf35d 100644 --- a/yaml/a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0.yaml +++ b/yaml/a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a7775cbe-624b-4b04-b74f-969f77c2ac02.yaml b/yaml/a7775cbe-624b-4b04-b74f-969f77c2ac02.yaml index 6b833d7b4..3ce9c9b9c 100644 --- a/yaml/a7775cbe-624b-4b04-b74f-969f77c2ac02.yaml +++ b/yaml/a7775cbe-624b-4b04-b74f-969f77c2ac02.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a7775cbe-624b-4b04-b74f-969f77c2ac02 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a7bba474-815f-49be-bddc-4d76a64c866c.yaml b/yaml/a7bba474-815f-49be-bddc-4d76a64c866c.yaml index 4292ecaae..6664bfbe8 100644 --- a/yaml/a7bba474-815f-49be-bddc-4d76a64c866c.yaml +++ b/yaml/a7bba474-815f-49be-bddc-4d76a64c866c.yaml @@ -104,6 +104,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a7bba474-815f-49be-bddc-4d76a64c866c KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a845a05c-5357-4b78-9783-16b4d34b2cb0.yaml b/yaml/a845a05c-5357-4b78-9783-16b4d34b2cb0.yaml index 2b8ee90f5..c399861a3 100644 --- a/yaml/a845a05c-5357-4b78-9783-16b4d34b2cb0.yaml +++ b/yaml/a845a05c-5357-4b78-9783-16b4d34b2cb0.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a845a05c-5357-4b78-9783-16b4d34b2cb0 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/a8e999ee-746f-4788-9102-c1d3d2914f56.yaml b/yaml/a8e999ee-746f-4788-9102-c1d3d2914f56.yaml index 582ffc71d..1e4dbd8ef 100644 --- a/yaml/a8e999ee-746f-4788-9102-c1d3d2914f56.yaml +++ b/yaml/a8e999ee-746f-4788-9102-c1d3d2914f56.yaml @@ -11,7 +11,17 @@ Commands: Privileges: kernel Usecase: Elevate privileges Created: '2023-01-09' -Detection: [] +Detection: +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: a8e999ee-746f-4788-9102-c1d3d2914f56 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/aa687f89-4f3b-4b59-b64e-fee5e2ae2310.yaml b/yaml/aa687f89-4f3b-4b59-b64e-fee5e2ae2310.yaml index 8d805d29a..6b53aecd3 100644 --- a/yaml/aa687f89-4f3b-4b59-b64e-fee5e2ae2310.yaml +++ b/yaml/aa687f89-4f3b-4b59-b64e-fee5e2ae2310.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: aa687f89-4f3b-4b59-b64e-fee5e2ae2310 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/ad21819d-3080-4fe2-89b1-74385031fb4d.yaml b/yaml/ad21819d-3080-4fe2-89b1-74385031fb4d.yaml index 900abf2f1..506d347c5 100644 --- a/yaml/ad21819d-3080-4fe2-89b1-74385031fb4d.yaml +++ b/yaml/ad21819d-3080-4fe2-89b1-74385031fb4d.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: ad21819d-3080-4fe2-89b1-74385031fb4d KnownVulnerableSamples: - Authentihash: diff --git a/yaml/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6.yaml b/yaml/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6.yaml index b09cf8df4..840bf44b1 100644 --- a/yaml/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6.yaml +++ b/yaml/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/b72f7335-6f27-42c5-85f5-ed7eb9016eac.yaml b/yaml/b72f7335-6f27-42c5-85f5-ed7eb9016eac.yaml index fc0260df7..e4c187165 100644 --- a/yaml/b72f7335-6f27-42c5-85f5-ed7eb9016eac.yaml +++ b/yaml/b72f7335-6f27-42c5-85f5-ed7eb9016eac.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: b72f7335-6f27-42c5-85f5-ed7eb9016eac KnownVulnerableSamples: - Authentihash: diff --git a/yaml/babe348d-f160-41ec-9db9-2413b989c1f0.yaml b/yaml/babe348d-f160-41ec-9db9-2413b989c1f0.yaml index 3b44c53d0..ee14103f9 100644 --- a/yaml/babe348d-f160-41ec-9db9-2413b989c1f0.yaml +++ b/yaml/babe348d-f160-41ec-9db9-2413b989c1f0.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: babe348d-f160-41ec-9db9-2413b989c1f0 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/bb808089-5857-4df2-8998-753a7106cb44.yaml b/yaml/bb808089-5857-4df2-8998-753a7106cb44.yaml index 6afa64e9e..76c17b73c 100644 --- a/yaml/bb808089-5857-4df2-8998-753a7106cb44.yaml +++ b/yaml/bb808089-5857-4df2-8998-753a7106cb44.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: bb808089-5857-4df2-8998-753a7106cb44 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml b/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml index 1f7eb0527..45bedca22 100644 --- a/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml +++ b/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: bc5e020a-ecff-43c8-b57b-ee17b5f65b21 KnownVulnerableSamples: - Authentihash: @@ -846,8 +856,8 @@ KnownVulnerableSamples: Version: 1 MitreID: T1068 Resources: -- 'https://github.com/jbaines-r7/dellicious' -- 'https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/' +- https://github.com/jbaines-r7/dellicious +- https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ Tags: - sandra.sys Verified: 'TRUE' diff --git a/yaml/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc.yaml b/yaml/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc.yaml index 888eb943e..c0615adb0 100644 --- a/yaml/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc.yaml +++ b/yaml/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc KnownVulnerableSamples: - Authentihash: diff --git a/yaml/bf01915d-045f-442c-a74e-25c56182123f.yaml b/yaml/bf01915d-045f-442c-a74e-25c56182123f.yaml index 7f6de4d4d..de5ca13c4 100644 --- a/yaml/bf01915d-045f-442c-a74e-25c56182123f.yaml +++ b/yaml/bf01915d-045f-442c-a74e-25c56182123f.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: bf01915d-045f-442c-a74e-25c56182123f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/c3cca618-5a7f-4a51-8785-cb328fbfb0df.yaml b/yaml/c3cca618-5a7f-4a51-8785-cb328fbfb0df.yaml index 945c85098..6ff5fe466 100644 --- a/yaml/c3cca618-5a7f-4a51-8785-cb328fbfb0df.yaml +++ b/yaml/c3cca618-5a7f-4a51-8785-cb328fbfb0df.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: c3cca618-5a7f-4a51-8785-cb328fbfb0df KnownVulnerableSamples: - Authentihash: diff --git a/yaml/ca1e8664-841f-4e4b-9e67-3f515cc249c6.yaml b/yaml/ca1e8664-841f-4e4b-9e67-3f515cc249c6.yaml index 5e65eb28e..816c93b2e 100644 --- a/yaml/ca1e8664-841f-4e4b-9e67-3f515cc249c6.yaml +++ b/yaml/ca1e8664-841f-4e4b-9e67-3f515cc249c6.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: ca1e8664-841f-4e4b-9e67-3f515cc249c6 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/ca415ed5-b611-4840-bfb2-6e1eacac33d1.yaml b/yaml/ca415ed5-b611-4840-bfb2-6e1eacac33d1.yaml index 664c69cfc..8c1da9a9d 100644 --- a/yaml/ca415ed5-b611-4840-bfb2-6e1eacac33d1.yaml +++ b/yaml/ca415ed5-b611-4840-bfb2-6e1eacac33d1.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: ca415ed5-b611-4840-bfb2-6e1eacac33d1 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/ca768fc5-9b5c-4ced-90ab-fd6be9a70199.yaml b/yaml/ca768fc5-9b5c-4ced-90ab-fd6be9a70199.yaml index 77c68be3c..723266846 100644 --- a/yaml/ca768fc5-9b5c-4ced-90ab-fd6be9a70199.yaml +++ b/yaml/ca768fc5-9b5c-4ced-90ab-fd6be9a70199.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: ca768fc5-9b5c-4ced-90ab-fd6be9a70199 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/cf49f43c-d7b4-4c1a-a40d-1be36ea64bff.yaml b/yaml/cf49f43c-d7b4-4c1a-a40d-1be36ea64bff.yaml index eb3c97005..5db555829 100644 --- a/yaml/cf49f43c-d7b4-4c1a-a40d-1be36ea64bff.yaml +++ b/yaml/cf49f43c-d7b4-4c1a-a40d-1be36ea64bff.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: cf49f43c-d7b4-4c1a-a40d-1be36ea64bff KnownVulnerableSamples: - Authentihash: diff --git a/yaml/cfdc5cb4-be5c-4dcc-a883-825fa72115b4.yaml b/yaml/cfdc5cb4-be5c-4dcc-a883-825fa72115b4.yaml index 38d22583d..84bbd646f 100644 --- a/yaml/cfdc5cb4-be5c-4dcc-a883-825fa72115b4.yaml +++ b/yaml/cfdc5cb4-be5c-4dcc-a883-825fa72115b4.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: cfdc5cb4-be5c-4dcc-a883-825fa72115b4 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/d0048840-970f-4ad5-9a07-1d39469d721f.yaml b/yaml/d0048840-970f-4ad5-9a07-1d39469d721f.yaml index e1fb53fd4..4e488448c 100644 --- a/yaml/d0048840-970f-4ad5-9a07-1d39469d721f.yaml +++ b/yaml/d0048840-970f-4ad5-9a07-1d39469d721f.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: d0048840-970f-4ad5-9a07-1d39469d721f KnownVulnerableSamples: - Authentihash: diff --git a/yaml/d2806397-9ceb-47c8-b5f3-3aabec182ff5.yaml b/yaml/d2806397-9ceb-47c8-b5f3-3aabec182ff5.yaml index 1b0e68076..5a82ed9a2 100644 --- a/yaml/d2806397-9ceb-47c8-b5f3-3aabec182ff5.yaml +++ b/yaml/d2806397-9ceb-47c8-b5f3-3aabec182ff5.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: d2806397-9ceb-47c8-b5f3-3aabec182ff5 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/d819bee2-3bff-481f-a301-acc3d1f5fe58.yaml b/yaml/d819bee2-3bff-481f-a301-acc3d1f5fe58.yaml index 7b11f0afc..c4dc22237 100644 --- a/yaml/d819bee2-3bff-481f-a301-acc3d1f5fe58.yaml +++ b/yaml/d819bee2-3bff-481f-a301-acc3d1f5fe58.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: d819bee2-3bff-481f-a301-acc3d1f5fe58 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/d9e00cc7-a8f4-4390-a6dc-0f5423e97da4.yaml b/yaml/d9e00cc7-a8f4-4390-a6dc-0f5423e97da4.yaml index d5ade8371..8c2b12086 100644 --- a/yaml/d9e00cc7-a8f4-4390-a6dc-0f5423e97da4.yaml +++ b/yaml/d9e00cc7-a8f4-4390-a6dc-0f5423e97da4.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: d9e00cc7-a8f4-4390-a6dc-0f5423e97da4 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/d9f2c3d6-160c-4eb3-8547-894fcf810342.yaml b/yaml/d9f2c3d6-160c-4eb3-8547-894fcf810342.yaml index 871672759..0e48cd611 100644 --- a/yaml/d9f2c3d6-160c-4eb3-8547-894fcf810342.yaml +++ b/yaml/d9f2c3d6-160c-4eb3-8547-894fcf810342.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: d9f2c3d6-160c-4eb3-8547-894fcf810342 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/de003542-80e1-4aa0-9b99-ed8647a93a6e.yaml b/yaml/de003542-80e1-4aa0-9b99-ed8647a93a6e.yaml index f68dbb714..53b2bc56b 100644 --- a/yaml/de003542-80e1-4aa0-9b99-ed8647a93a6e.yaml +++ b/yaml/de003542-80e1-4aa0-9b99-ed8647a93a6e.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: de003542-80e1-4aa0-9b99-ed8647a93a6e KnownVulnerableSamples: - Authentihash: diff --git a/yaml/de365e80-45cb-48fb-af6e-0a96a5ad7777.yaml b/yaml/de365e80-45cb-48fb-af6e-0a96a5ad7777.yaml index 3600f8a13..a11a09a25 100644 --- a/yaml/de365e80-45cb-48fb-af6e-0a96a5ad7777.yaml +++ b/yaml/de365e80-45cb-48fb-af6e-0a96a5ad7777.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: de365e80-45cb-48fb-af6e-0a96a5ad7777 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/de4dd27a-1f7e-4271-98a4-55395ab6aabf.yaml b/yaml/de4dd27a-1f7e-4271-98a4-55395ab6aabf.yaml index 0c0cdc0cc..7a1b6962c 100644 --- a/yaml/de4dd27a-1f7e-4271-98a4-55395ab6aabf.yaml +++ b/yaml/de4dd27a-1f7e-4271-98a4-55395ab6aabf.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: de4dd27a-1f7e-4271-98a4-55395ab6aabf KnownVulnerableSamples: - Authentihash: diff --git a/yaml/dfce8b0f-d857-4808-80ef-61273c7a4183.yaml b/yaml/dfce8b0f-d857-4808-80ef-61273c7a4183.yaml index d73fb094b..61805f6b9 100644 --- a/yaml/dfce8b0f-d857-4808-80ef-61273c7a4183.yaml +++ b/yaml/dfce8b0f-d857-4808-80ef-61273c7a4183.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: dfce8b0f-d857-4808-80ef-61273c7a4183 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/e368efc7-cf69-47ae-8204-f69dac000b22.yaml b/yaml/e368efc7-cf69-47ae-8204-f69dac000b22.yaml index 69ff8f232..68fa34790 100644 --- a/yaml/e368efc7-cf69-47ae-8204-f69dac000b22.yaml +++ b/yaml/e368efc7-cf69-47ae-8204-f69dac000b22.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: e368efc7-cf69-47ae-8204-f69dac000b22 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/e4098d7e-78b3-4da1-96cb-68b27f245e02.yaml b/yaml/e4098d7e-78b3-4da1-96cb-68b27f245e02.yaml index 81739bae9..053046f42 100644 --- a/yaml/e4098d7e-78b3-4da1-96cb-68b27f245e02.yaml +++ b/yaml/e4098d7e-78b3-4da1-96cb-68b27f245e02.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: e4098d7e-78b3-4da1-96cb-68b27f245e02 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/e42cd285-4dda-4086-a696-93ab1d6f17ca.yaml b/yaml/e42cd285-4dda-4086-a696-93ab1d6f17ca.yaml index 0318cf76f..cbb7e2734 100644 --- a/yaml/e42cd285-4dda-4086-a696-93ab1d6f17ca.yaml +++ b/yaml/e42cd285-4dda-4086-a696-93ab1d6f17ca.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: e42cd285-4dda-4086-a696-93ab1d6f17ca KnownVulnerableSamples: - Authentihash: diff --git a/yaml/e4609b54-cb25-4433-a75a-7a17f43cec00.yaml b/yaml/e4609b54-cb25-4433-a75a-7a17f43cec00.yaml index e547cd020..4c707b40b 100644 --- a/yaml/e4609b54-cb25-4433-a75a-7a17f43cec00.yaml +++ b/yaml/e4609b54-cb25-4433-a75a-7a17f43cec00.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: e4609b54-cb25-4433-a75a-7a17f43cec00 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/e7c958da-fd5d-40d6-975e-582c6fee7f69.yaml b/yaml/e7c958da-fd5d-40d6-975e-582c6fee7f69.yaml index b79b49217..c5799116b 100644 --- a/yaml/e7c958da-fd5d-40d6-975e-582c6fee7f69.yaml +++ b/yaml/e7c958da-fd5d-40d6-975e-582c6fee7f69.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: e7c958da-fd5d-40d6-975e-582c6fee7f69 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/ecabc507-2cc7-4011-89ab-7d9d659e6f88.yaml b/yaml/ecabc507-2cc7-4011-89ab-7d9d659e6f88.yaml index 3c16ec522..132d66d24 100644 --- a/yaml/ecabc507-2cc7-4011-89ab-7d9d659e6f88.yaml +++ b/yaml/ecabc507-2cc7-4011-89ab-7d9d659e6f88.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: ecabc507-2cc7-4011-89ab-7d9d659e6f88 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/edd29861-6984-4dbe-8e7c-22e9b6cf68d0.yaml b/yaml/edd29861-6984-4dbe-8e7c-22e9b6cf68d0.yaml index 22892ac83..08ef8825b 100644 --- a/yaml/edd29861-6984-4dbe-8e7c-22e9b6cf68d0.yaml +++ b/yaml/edd29861-6984-4dbe-8e7c-22e9b6cf68d0.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: edd29861-6984-4dbe-8e7c-22e9b6cf68d0 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/eef1fcf4-8c54-420b-8d38-9c5f95129dcc.yaml b/yaml/eef1fcf4-8c54-420b-8d38-9c5f95129dcc.yaml index 95e355b6e..ffb371b77 100644 --- a/yaml/eef1fcf4-8c54-420b-8d38-9c5f95129dcc.yaml +++ b/yaml/eef1fcf4-8c54-420b-8d38-9c5f95129dcc.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_mal_drivers_strict.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: eef1fcf4-8c54-420b-8d38-9c5f95129dcc KnownVulnerableSamples: - Authentihash: diff --git a/yaml/f22e7230-5f32-4c4e-bc9d-9076ebf10baa.yaml b/yaml/f22e7230-5f32-4c4e-bc9d-9076ebf10baa.yaml index ebb2b3273..3e84b8da4 100644 --- a/yaml/f22e7230-5f32-4c4e-bc9d-9076ebf10baa.yaml +++ b/yaml/f22e7230-5f32-4c4e-bc9d-9076ebf10baa.yaml @@ -15,6 +15,16 @@ Created: '2023-07-22' Detection: - type: '' value: '' +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: f22e7230-5f32-4c4e-bc9d-9076ebf10baa KnownVulnerableSamples: - Authentihash: diff --git a/yaml/f4990bdd-8821-4a3c-a11a-4651e645810c.yaml b/yaml/f4990bdd-8821-4a3c-a11a-4651e645810c.yaml index 3a3f290a0..4887de46b 100644 --- a/yaml/f4990bdd-8821-4a3c-a11a-4651e645810c.yaml +++ b/yaml/f4990bdd-8821-4a3c-a11a-4651e645810c.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: f4990bdd-8821-4a3c-a11a-4651e645810c KnownVulnerableSamples: - Authentihash: diff --git a/yaml/f4c22f4d-eff8-40c5-8b31-146abe5f17b7.yaml b/yaml/f4c22f4d-eff8-40c5-8b31-146abe5f17b7.yaml index ca5a30b3d..6626137df 100644 --- a/yaml/f4c22f4d-eff8-40c5-8b31-146abe5f17b7.yaml +++ b/yaml/f4c22f4d-eff8-40c5-8b31-146abe5f17b7.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: f4c22f4d-eff8-40c5-8b31-146abe5f17b7 KnownVulnerableSamples: - Company: '' diff --git a/yaml/f654ad84-c61d-477c-a0b2-d153b927dfcc.yaml b/yaml/f654ad84-c61d-477c-a0b2-d153b927dfcc.yaml index 2952bd771..0ac9d2123 100644 --- a/yaml/f654ad84-c61d-477c-a0b2-d153b927dfcc.yaml +++ b/yaml/f654ad84-c61d-477c-a0b2-d153b927dfcc.yaml @@ -24,6 +24,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: f654ad84-c61d-477c-a0b2-d153b927dfcc KnownVulnerableSamples: - Authentihash: diff --git a/yaml/fab98aaa-e4e7-4c4a-af65-c00d35cf66e9.yaml b/yaml/fab98aaa-e4e7-4c4a-af65-c00d35cf66e9.yaml index d29154e5a..dde004bdc 100644 --- a/yaml/fab98aaa-e4e7-4c4a-af65-c00d35cf66e9.yaml +++ b/yaml/fab98aaa-e4e7-4c4a-af65-c00d35cf66e9.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: fab98aaa-e4e7-4c4a-af65-c00d35cf66e9 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/fbdd993b-47b1-4448-8c41-24c310802398.yaml b/yaml/fbdd993b-47b1-4448-8c41-24c310802398.yaml index 3f4b5e37f..cd94e1e65 100644 --- a/yaml/fbdd993b-47b1-4448-8c41-24c310802398.yaml +++ b/yaml/fbdd993b-47b1-4448-8c41-24c310802398.yaml @@ -28,6 +28,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: fbdd993b-47b1-4448-8c41-24c310802398 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/fdf4f85b-47f4-4c98-a0d5-a6583463f565.yaml b/yaml/fdf4f85b-47f4-4c98-a0d5-a6583463f565.yaml index d6274fee4..3072242d7 100644 --- a/yaml/fdf4f85b-47f4-4c98-a0d5-a6583463f565.yaml +++ b/yaml/fdf4f85b-47f4-4c98-a0d5-a6583463f565.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: fdf4f85b-47f4-4c98-a0d5-a6583463f565 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/fe2f68e1-e459-4802-9a9a-23bb3c2fd331.yaml b/yaml/fe2f68e1-e459-4802-9a9a-23bb3c2fd331.yaml index c5f292d09..7c780e0a9 100644 --- a/yaml/fe2f68e1-e459-4802-9a9a-23bb3c2fd331.yaml +++ b/yaml/fe2f68e1-e459-4802-9a9a-23bb3c2fd331.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: fe2f68e1-e459-4802-9a9a-23bb3c2fd331 KnownVulnerableSamples: - Authentihash: diff --git a/yaml/ff74f03e-e4ce-4242-bfe3-60601056bb34.yaml b/yaml/ff74f03e-e4ce-4242-bfe3-60601056bb34.yaml index 45322d326..68016dcb5 100644 --- a/yaml/ff74f03e-e4ce-4242-bfe3-60601056bb34.yaml +++ b/yaml/ff74f03e-e4ce-4242-bfe3-60601056bb34.yaml @@ -22,6 +22,16 @@ Detection: value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml - type: sysmon_hash_block value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml +- type: yara_signature + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules_vuln_drivers_strict_renamed.yar +- type: sigma_hash + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml +- type: sigma_names + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml +- type: sysmon_hash_detect + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml +- type: sysmon_hash_block + value: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml Id: ff74f03e-e4ce-4242-bfe3-60601056bb34 KnownVulnerableSamples: - Authentihash: