forked from magicsword-io/LOLDrivers
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdriver_load_win_mal_drivers_hvci_load.yml
263 lines (263 loc) · 16.1 KB
/
driver_load_win_mal_drivers_hvci_load.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
title: Malicious Driver Load Despite HVCI
id: bd17303b-1003-437e-93e4-97f79c03aeb3
status: experimental
description: Detects loading of known malicious drivers via their hash whether or not HVCI (Hypervisor Code Integrity) is enabled.
references:
- https://loldrivers.io/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/08/18
modified: 2024/04/09
tags:
- attack.privilege_escalation
- attack.t1543.003
- attack.t1068
logsource:
product: windows
category: driver_load
detection:
selection:
Hashes|contains:
- 'MD5=3d0b3e19262099ade884b75ba86ca7e8'
- 'MD5=0ea8389589c603a8b05146bd06020597'
- 'MD5=8636fe3724f2bcba9399daffd6ef3c7e'
- 'MD5=0bdd51cc33e88b5265dfb7d88c5dc8d6'
- 'MD5=a236e7d654cd932b7d11cb604629a2d0'
- 'MD5=a6e9d6505f6d2326a8a9214667c61c67'
- 'MD5=1cd158a64f3d886357535382a6fdad75'
- 'MD5=2406ea37152d2154be3fef6d69ada2c6'
- 'MD5=04a88f5974caa621cee18f34300fc08a'
- 'MD5=ef0e1725aaf0c6c972593f860531a2ea'
- 'MD5=4748696211bd56c2d93c21cab91e82a5'
- 'MD5=40b968ecdbe9e967d92c5da51c390eee'
- 'MD5=bd5b0514f3b40f139d8079138d01b5f6'
- 'MD5=b0770094c3c64250167b55e4db850c04'
- 'MD5=bd91787b5dcb2189b856804e85dfa1d9'
- 'MD5=5a4fe297c7d42539303137b6d75b150d'
- 'MD5=5ebfc0af031130ba9de1d5d3275734b3'
- 'MD5=2ec877e425bd7eddb663627216e3491e'
- 'MD5=550b7991d93534bc510bc4f237155a7a'
- 'MD5=491aec2249ad8e2020f9f9b559ab68a8'
- 'MD5=0ae30291c6cbfa7be39320badd6e8de0'
- 'MD5=62c18d61ed324088f963510bae43b831'
- 'MD5=4118b86e490aed091b1a219dba45f332'
- 'MD5=88bea56ae9257b40063785cf47546024'
- 'MD5=4dd6250eb2d368f500949952eb013964'
- 'MD5=072ba2309b825ce1dba37d8d924ea8ed'
- 'MD5=19bdd9b799e3c2c54c0d7fff68b31c20'
- 'MD5=3f11a94f1ac5efdd19767c6976da9ba4'
- 'MD5=f242cffd9926c0ccf94af3bf16b6e527'
- 'MD5=a90236e4962620949b720f647a91f101'
- 'MD5=4b058945c9f2b8d8ebc485add1101ba5'
- 'MD5=5917e415a5bf30b3fcbcbcb8a4f20ee0'
- 'MD5=5aeab9427d85951def146b4c0a44fc63'
- 'MD5=a837302307dace2a00d07202b661bce2'
- 'MD5=b6b530dd25c5eb66499968ec82e8791e'
- 'MD5=c94f405c5929cfcccc8ad00b42c95083'
- 'MD5=e8eac6642b882a6196555539149c73f2'
- 'MD5=14580bd59c55185115fd3abe73b016a2'
- 'MD5=0b311af53d2f4f77d30f1aed709db257'
- 'MD5=be6318413160e589080df02bb3ca6e6a'
- 'MD5=e939448b28a4edc81f1f974cebf6e7d2'
- 'MD5=97264fd62d4907bdac917917a07b3b7a'
- 'MD5=844af8c877f5da723c1b82cf6e213fc1'
- 'MD5=a26363e7b02b13f2b8d697abb90cd5c3'
- 'MD5=77a7ed4798d02ef6636cd0fd07fc382a'
- 'MD5=f69b06ca7c34d16f26ea1c6861edf62a'
- 'MD5=10f3679384a03cb487bda9621ceb5f90'
- 'MD5=6771b13a53b9c7449d4891e427735ea2'
- 'MD5=0b9b78d1281c7d4ab50497cf6ea7452a'
- 'MD5=093a2a635c3a27aac50efd6463f4efa1'
- 'MD5=a9df5964635ef8bd567ae487c3d214c4'
- 'MD5=3dd829fb27353622eff34be1eabb8f18'
- 'MD5=40f35792e7565aa047796758a3ce1b77'
- 'MD5=c71be7b112059d2dc84c0f952e04e6cc'
- 'MD5=0f16a43f7989034641fd2de3eb268bf1'
- 'MD5=6d131a7462e568213b44ef69156f10a5'
- 'MD5=47e6ac52431ca47da17248d80bf71389'
- 'MD5=fb7c61ef427f9b2fdff3574ee6b1819b'
- 'MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11'
- 'MD5=0023ca0ca16a62d93ef51f3df98b2f94'
- 'MD5=cd2c641788d5d125c316ed739c69bb59'
- 'MD5=79df0eabbf2895e4e2dae15a4772868c'
- 'MD5=e29f6311ae87542b3d693c1f38e4e3ad'
- 'MD5=97539c78d6e2b5356ce79e40bcd4d570'
- 'MD5=1fc7aeeff3ab19004d2e53eae8160ab1'
- 'MD5=a42249a046182aaaf3a7a7db98bfa69d'
- 'MD5=50b39072d0ee9af5ef4824eca34be6e3'
- 'SHA1=fff4f28287677caabc60c8ab36786c370226588d'
- 'SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc'
- 'SHA1=d4cf9296271a9c5c40b0fa34f69b6125c2d14457'
- 'SHA1=6a6fe0d69e0ea34d695c3b525e6db639f9ad6ac5'
- 'SHA1=17fa047c1f979b180644906fe9265f21af5b0509'
- 'SHA1=3c1c3f5f5081127229ba0019fbf0efc2a9c1d677'
- 'SHA1=613a9df389ad612a5187632d679da11d60f6046a'
- 'SHA1=0bec69c1b22603e9a385495fbe94700ac36b28e5'
- 'SHA1=0883a9c54e8442a551994989db6fc694f1086d41'
- 'SHA1=f92faed3ef92fa5bc88ebc1725221be5d7425528'
- 'SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe'
- 'SHA1=9382981b05b1fb950245313992444bfa0db5f881'
- 'SHA1=c257aa4094539719a3c7b7950598ef872dbf9518'
- 'SHA1=6abc7979ba044f31884517827afb7b4bdaa0dcc1'
- 'SHA1=89a74d0e9fd03129082c5b868f5ad62558ca34fd'
- 'SHA1=d02403f85be6f243054395a873b41ef8a17ea279'
- 'SHA1=2929de0b5b5e1ba1cce1908e9d800aa21f448b3d'
- 'SHA1=3825ebb0b0664b5f0789371240f65231693be37d'
- 'SHA1=48f03a13b0f6d3d929a86514ce48a9352ffef5ad'
- 'SHA1=08dd35dde6187af579a1210e00eadbcea29e66d2'
- 'SHA1=98c4406fede34c3704afd8cf536ec20d93df9a10'
- 'SHA1=a14cd928c60495777629be283c1d5b8ebbab8c0d'
- 'SHA1=76789196eebfd4203f477a5a6c75eefc12d9a837'
- 'SHA1=994e3f5dd082f5d82f9cc84108a60d359910ba79'
- 'SHA1=cb25a5125fb353496b59b910263209f273f3552d'
- 'SHA1=994dc79255aeb662a672a1814280de73d405617a'
- 'SHA1=97812f334a077c40e8e642bb9872ac2c49ddb9a2'
- 'SHA1=9c1c9032aa1e33461f35dbf79b6f2d061bfc6774'
- 'SHA1=c3ca396b5af2064c6f7d05fa0fb697e68d0b9631'
- 'SHA1=b34a012887ddab761b2298f882858fa1ff4d99f1'
- 'SHA1=27371f45f42383029c3c2e6d64a22e35dc772a72'
- 'SHA1=b6eb40ea52b47f03edb8f45e2e431b5f666df8c5'
- 'SHA1=43501832ce50ccaba2706be852813d51de5a900f'
- 'SHA1=03e82eae4d8b155e22ffdafe7ba0c4ab74e8c1a7'
- 'SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202'
- 'SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff'
- 'SHA1=c9e9198d52d94771cb14711a5f6aaf8d82b602a2'
- 'SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d'
- 'SHA1=cc65bf60600b64feece5575f21ab89e03a728332'
- 'SHA1=86e6669dbbce8228e94b2a9f86efdf528f0714fd'
- 'SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed'
- 'SHA1=ebd8b7e964b8c692eea4a8c406b9cd0be621ebe2'
- 'SHA1=4f2d9a70ea24121ae01df8a76ffba1f9cc0fde4a'
- 'SHA1=5ed22c0033aed380aa154e672e8db3a2d4c195c4'
- 'SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b'
- 'SHA1=18693de1487c55e374b46a7728b5bf43300d4f69'
- 'SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542'
- 'SHA1=6802e2d2d4e6ee38aa513dafd6840e864310513b'
- 'SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d'
- 'SHA1=9ee31f1f25f675a12b7bad386244a9fbfa786a87'
- 'SHA1=6df35a0c2f6d7d39d24277137ea840078dafb812'
- 'SHA1=fdbcebb6cafda927d384d7be2e8063a4377d884f'
- 'SHA1=dd94a2436994ac35db91e0ec9438b95e438d38c5'
- 'SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a'
- 'SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196'
- 'SHA1=bf2f8ada4e80aed4710993cedf4c5d32c95cd509'
- 'SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8'
- 'SHA1=7f7d144cc80129d0db3159ea5d4294c34b79b20a'
- 'SHA1=675cc00de7c1ef508ccd0c91770c82342c0ad4ab'
- 'SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb'
- 'SHA1=1f25f54e9b289f76604e81e98483309612c5a471'
- 'SHA1=b5a8e2104d76dbb04cd9ffe86784113585822375'
- 'SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e'
- 'SHA1=22c9da04847c26188226c3a345e2126ef00aa19e'
- 'SHA1=064de88dbbea67c149e779aac05228e5405985c7'
- 'SHA1=b8b123a413b7bccfa8433deba4f88669c969b543'
- 'SHA1=91568d7a82cc7677f6b13f11bea5c40cf12d281b'
- 'SHA1=ea4a405445bb6e58c16b81f6d5d2c9a9edde419b'
- 'SHA1=73bac306292b4e9107147db94d0d836fdb071e33'
- 'SHA1=4dd86ff6f7180abebcb92e556a486abe7132754c'
- 'SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0'
- 'SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed'
- 'SHA1=552730553a1dea0290710465fb8189bdd0eaad42'
- 'SHA1=f6793243ad20359d8be40d3accac168a15a327fb'
- 'SHA1=d4f5323da704ff2f25d6b97f38763c147f2a0e6f'
- 'SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1'
- 'SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c'
- 'SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a'
- 'SHA256=42ff11ddb46dfe5fa895e7babf88ee27790cde53a9139fc384346a89e802a327'
- 'SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d'
- 'SHA256=b0f1fbadc1d7a77557d3d836f7698bd986a3ec9fc5d534ad3403970f071176f7'
- 'SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217'
- 'SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12'
- 'SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d'
- 'SHA256=0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3'
- 'SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a'
- 'SHA256=8922be14c657e603179f1dd94dc32de7c99d2268ac92d429c4fdda7396c32e50'
- 'SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724'
- 'SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427'
- 'SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530'
- 'SHA256=a2d32c28eb5945b85872697d7cfbe87813c09a0e1be28611563755f68b9cb88b'
- 'SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62'
- 'SHA256=7a84703552ae032a0d1699a081e422ed6c958bbe56d5b41839c8bfa6395bee1d'
- 'SHA256=82b0e1d7a27b67f0e6dc39dc41e880bdaef5d1f69fcec38e08da2ed78e805ef9'
- 'SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620'
- 'SHA256=30061ef383e18e74bb067fbca69544f1a7544e8dc017d4e7633d8379aff4c3c3'
- 'SHA256=888491196bd8ff528b773a3e453eae49063ad31fb4ca0f9f2e433f8d35445440'
- 'SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77'
- 'SHA256=751e9376cb7cb9de63e1808d43579d787d3f6d659173038fe44a2d7fdb4fd17e'
- 'SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e'
- 'SHA256=29d765e29d2f06eb511ee88b2e514c9df1a9020a768ddd3d2278d9045e9cdb4a'
- 'SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df'
- 'SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a'
- 'SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5'
- 'SHA256=f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f'
- 'SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988'
- 'SHA256=da70fa44290f949e9b3e0fcfe0503de46e82e0472e8e3c360da3fd2bfa364eee'
- 'SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4'
- 'SHA256=0181d60506b1f3609217487c2c737621d637e1232f243f68c662d045f44d4873'
- 'SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c'
- 'SHA256=bed4285d0f8d18f17ddaa53a98a475c87c04c4d167499e24c770da788e5d45f4'
- 'SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d'
- 'SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f'
- 'SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76'
- 'SHA256=d25b5e4d07f594c640dcd93cfc8ab3f0a38348150bd0bfae89f404fbb0d811c6'
- 'SHA256=4f02aed3750bc6a924c75e774404f259f721d8f4081ed68aa01cf73ca5430f85'
- 'SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a'
- 'SHA256=24c900024d213549502301c366d18c318887630f04c96bf0a3d6ba74e0df164f'
- 'SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc'
- 'SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e'
- 'SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376'
- 'SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae'
- 'SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c'
- 'SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce'
- 'SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4'
- 'SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931'
- 'SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e'
- 'SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae'
- 'SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3'
- 'SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51'
- 'SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330'
- 'SHA256=9a67626fb468d3f114c23ac73fd8057f43d06393d3eca04da1d6676f89da2d40'
- 'SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d'
- 'SHA256=497a836693be1b330993e2be64f6c71bf290c127faca1c056abd0dc374654830'
- 'SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc'
- 'SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280'
- 'SHA256=87565ff08a93a8ff41ea932bf55dec8e0c7e79aba036507ea45df9d81cb36105'
- 'SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677'
- 'SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b'
- 'SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c'
- 'SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f'
- 'SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c'
- 'IMPHASH=65ccc2c578a984c31880b6c5e65257d3'
- 'IMPHASH=cf0eb2dce2ba2c9ff5dd0da794b8b372'
- 'IMPHASH=2a008187d4a73284ddcc43f1b727b513'
- 'IMPHASH=2de3451f3e7b02970582bb8f9fd8c73a'
- 'IMPHASH=4c7cc13a110ccdbb932bb9d7d42efdf4'
- 'IMPHASH=e3ee9131742bf9c9d43cb9a425e497dd'
- 'IMPHASH=27f6dc8a247a22308dd1beba5086b302'
- 'IMPHASH=8d070a93a45ed8ba6dba6bfbe0d084e7'
- 'IMPHASH=832219eb71b8bdb771f1d29d27b0acf4'
- 'IMPHASH=514298d18002920ee5a917fc34426417'
- 'IMPHASH=dbf09dd3e675f15c7cc9b4d2b8e6cd90'
- 'IMPHASH=c9a6e83d931286d1604d1add8403e1e5'
- 'IMPHASH=d51f0f6034eb5e45f0ed4e9b7bbc9c97'
- 'IMPHASH=bf9d32a6ab9effcd2fd6a734e5be98f9'
- 'IMPHASH=be0dd8b8e045356d600ee55a64d9d197'
- 'IMPHASH=6b387c029257f024a43a73f38afb2629'
- 'IMPHASH=f8e4844312e81dbdb4e8e95e2ad2c127'
- 'IMPHASH=0262d4147f21d681f8519ab2af79283f'
- 'IMPHASH=26ceec6572c630bdad60c984e51b7da4'
- 'IMPHASH=a09170ef09c55cdca9472c02cb1f2647'
- 'IMPHASH=6c8d5c79a850eecc2fb0291cebda618d'
- 'IMPHASH=059c6bd84285f4960e767f032b33f19b'
- 'IMPHASH=c32d9a9af7f702814e1368c689877f3a'
- 'IMPHASH=3db9de43d5d530c10d0cd2d43c7a0771'
- 'IMPHASH=ea37e43ffc7cfcba181c5cff37a9be1f'
- 'IMPHASH=70e1caa5a322b56fd7951f1b2caacb0d'
- 'IMPHASH=4b47f6031c558106eee17655f8f8a32f'
- 'IMPHASH=fca0f3c7b6d79f494034b9d2a1f5921a'
- 'IMPHASH=420625b024fba72a24025defdf95b303'
- 'IMPHASH=63fd1582ac2edee50f7ec7eedde38ee8'
- 'IMPHASH=a7bd820fa5b895fab06f20739c9f24b8'
condition: selection
falsepositives:
- Unknown
level: high