From d4b0b7577a17d60d32952108bbaee1c8de0144b4 Mon Sep 17 00:00:00 2001
From: Robel Campbell <rcampbell@bpc-cl73yjlh9y.lan>
Date: Fri, 31 Jan 2025 14:59:40 -0500
Subject: [PATCH 1/2] Added new BYOVD: TPwSav.sys

---
 YML-Template.yml                              |  2 +-
 ...b3cec397246fdc63436e58b1bf597550a647f6.bin |  0
 .../c0634ed7-840e-4a7e-8b34-33efe50405c2.yaml | 37 +++++++++++++++++++
 3 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 tmp/011df46e94218cbb2f0b8da13ab3cec397246fdc63436e58b1bf597550a647f6.bin
 create mode 100644 yaml/c0634ed7-840e-4a7e-8b34-33efe50405c2.yaml

diff --git a/YML-Template.yml b/YML-Template.yml
index b1fc1c184..0df1de639 100644
--- a/YML-Template.yml
+++ b/YML-Template.yml
@@ -9,7 +9,7 @@ Author: Your Name # Example: John Doe
 Created: 'YYYY-MM-DD' # Example: '2023-04-15'
 MitreID: TXXXX # Example: T1000
 CVE:
-    - CVE-XXXX-XXXX # Example: CVE-2023-20222
+    - N/A # Example: CVE-2023-20222
 Category: Category Name # Example: vulnerable driver
 Verified: 'TRUE or FALSE' # Example: 'TRUE'
 Commands:
diff --git a/tmp/011df46e94218cbb2f0b8da13ab3cec397246fdc63436e58b1bf597550a647f6.bin b/tmp/011df46e94218cbb2f0b8da13ab3cec397246fdc63436e58b1bf597550a647f6.bin
new file mode 100644
index 000000000..e69de29bb
diff --git a/yaml/c0634ed7-840e-4a7e-8b34-33efe50405c2.yaml b/yaml/c0634ed7-840e-4a7e-8b34-33efe50405c2.yaml
new file mode 100644
index 000000000..23ecf6fda
--- /dev/null
+++ b/yaml/c0634ed7-840e-4a7e-8b34-33efe50405c2.yaml
@@ -0,0 +1,37 @@
+Id: c0634ed7-840e-4a7e-8b34-33efe50405c2
+Author: Robel Campbell
+Created: '2025-01-31'
+MitreID: T1068
+Category: vulnerable driver
+Verified: 'TRUE'
+Commands:
+  Command: sc.exe create TPwSav.sys binPath=C:\windows\temp\TPwSav.sys type=kernel
+    && sc.exe start TPwSav.sys
+  Description: A driver associated with Toshiba laptops power saving functionality
+    allows arbitary one byte reading and writing mapped physical addresses. Blackpoint Cyber's SOC observed this driver being used as part of a custom EDRSandblast malware to blind EDR prior to Qilin ransomware deployment.
+  Usecase: Elevate privileges, Blind EDR
+  Privileges: kernel
+  OperatingSystem: Windows
+Resources:
+- Coming soon...
+Acknowledgement:
+  Person: ''
+  Handle: ''
+Detection: []
+KnownVulnerableSamples:
+- Filename: 'TPwSav.sys'
+  MD5: b0caa4f3ac2841be683933a6af9bee0e
+  SHA1: c1130e09831c7a2e0cc8ba7335e702910b25f526
+  SHA256: 011df46e94218cbb2f0b8da13ab3cec397246fdc63436e58b1bf597550a647f6
+  Signature: ''
+  Date: ''
+  Publisher: ''
+  Company: ''
+  Description: ''
+  Product: ''
+  ProductVersion: ''
+  FileVersion: ''
+  MachineType: ''
+  OriginalFilename: ''
+Tags:
+- TPwSav.sys
\ No newline at end of file

From 0177e5338e08b86ea809ff9ec5e804e8f1fe8d40 Mon Sep 17 00:00:00 2001
From: Robel Campbell <rcampbell@bpc-cl73yjlh9y.lan>
Date: Fri, 31 Jan 2025 15:02:16 -0500
Subject: [PATCH 2/2] Added new BYOVD: TPwSav.sys

---
 ...6e94218cbb2f0b8da13ab3cec397246fdc63436e58b1bf597550a647f6.bin | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 tmp/011df46e94218cbb2f0b8da13ab3cec397246fdc63436e58b1bf597550a647f6.bin

diff --git a/tmp/011df46e94218cbb2f0b8da13ab3cec397246fdc63436e58b1bf597550a647f6.bin b/tmp/011df46e94218cbb2f0b8da13ab3cec397246fdc63436e58b1bf597550a647f6.bin
deleted file mode 100644
index e69de29bb..000000000