Sneed-Reactivity/yara-Neo23x0/vuln_gigabyte_driver.yar


rule VULN_PUA_GIGABYTE_Driver_Jul22_1 {
   meta:
      description = "Detects a vulnerable GIGABYTE driver sometimes used by malicious actors to escalate privileges"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://twitter.com/malmoeb/status/1551449425842786306"
      date = "2022-07-25"
      score = 65
      hash1 = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427"
      id = "c66b858f-a034-53e1-b0fd-e48693fc6913"
   strings:
      $xc1 = { 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73
               00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E 00 32
               00 2E 00 33 00 37 00 39 00 30 00 2E 00 31 00 38
               00 33 00 30 00 20 00 62 00 75 00 69 00 6C 00 74
               00 20 00 62 00 79 00 3A 00 20 00 57 00 69 00 6E
               00 44 00 44 00 4B 00 00 00 00 00 32 00 09 00 01
               00 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C
               00 4E 00 61 00 6D 00 65 00 00 00 67 00 64 00 72
               00 76 00 2E 00 73 00 79 00 73 }
      
      /* base64 encoded form */
      $x1 = "AEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAANQAuADIALgAzADcAOQAwAC4AMQA4ADMAMAAgAGIAdQBpAGwAdAAgAGIAeQA6ACAAVwBpAG4ARABEAEsAAAAAADIACQABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAZwBkAHIAdgAuAHMAeQBz"
      $x2 = "BGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADUALgAyAC4AMwA3ADkAMAAuADEAOAAzADAAIABiAHUAaQBsAHQAIABiAHkAOgAgAFcAaQBuAEQARABLAAAAAAAyAAkAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAGcAZAByAHYALgBzAHkAc"
      $x3 = "ARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAA1AC4AMgAuADMANwA5ADAALgAxADgAMwAwACAAYgB1AGkAbAB0ACAAYgB5ADoAIABXAGkAbgBEAEQASwAAAAAAMgAJAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABnAGQAcgB2AC4AcwB5AH"
   condition:
      filesize < 4000KB and 1 of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule VULN_PUA_GIGABYTE_Driver_Jul22_1 {`
			`meta:`
			`description = "Detects a vulnerable GIGABYTE driver sometimes used by malicious actors to escalate privileges"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://twitter.com/malmoeb/status/1551449425842786306"`
			`date = "2022-07-25"`
			`score = 65`
			`hash1 = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427"`
			`id = "c66b858f-a034-53e1-b0fd-e48693fc6913"`
			`strings:`
			`$xc1 = { 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73`
			`00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E 00 32`
			`00 2E 00 33 00 37 00 39 00 30 00 2E 00 31 00 38`
			`00 33 00 30 00 20 00 62 00 75 00 69 00 6C 00 74`
			`00 20 00 62 00 79 00 3A 00 20 00 57 00 69 00 6E`
			`00 44 00 44 00 4B 00 00 00 00 00 32 00 09 00 01`
			`00 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C`
			`00 4E 00 61 00 6D 00 65 00 00 00 67 00 64 00 72`
			`00 76 00 2E 00 73 00 79 00 73 }`

			`/* base64 encoded form */`
			`$x1 = "AEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAANQAuADIALgAzADcAOQAwAC4AMQA4ADMAMAAgAGIAdQBpAGwAdAAgAGIAeQA6ACAAVwBpAG4ARABEAEsAAAAAADIACQABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAZwBkAHIAdgAuAHMAeQBz"`
			`$x2 = "BGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADUALgAyAC4AMwA3ADkAMAAuADEAOAAzADAAIABiAHUAaQBsAHQAIABiAHkAOgAgAFcAaQBuAEQARABLAAAAAAAyAAkAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAGcAZAByAHYALgBzAHkAc"`
			`$x3 = "ARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAA1AC4AMgAuADMANwA5ADAALgAxADgAMwAwACAAYgB1AGkAbAB0ACAAYgB5ADoAIABXAGkAbgBEAEQASwAAAAAAMgAJAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABnAGQAcgB2AC4AcwB5AH"`
			`condition:`
			`filesize < 4000KB and 1 of them`
			`}`