6832 lines
559 KiB
Text
6832 lines
559 KiB
Text
|
|
||
|
|
rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3"
|
||
|
|
hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02"
|
||
|
|
hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe"
|
||
|
|
hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "eacc5085-aa34-5f46-977d-84761649bd6d"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310037002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Zemanaltd_Zam_D7E0 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "62c2caf4-0f8e-5873-bc77-ea5a6b390e29"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elrawdsk.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6"
|
||
|
|
hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "13de286c-92f2-5677-86ee-99c70a338c8e"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c0064006f005300200043006f00720070006f0072006100740069006f006e } /* CompanyName EldoSCorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c0020003100300036 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* InternalName elrawdsksys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200610077004400690073006b } /* ProductName RawDisk */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* OriginalFilename elrawdsksys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d0032003000310031002c00200045006c0064006f005300200043006f00720070006f0072006100740069006f006e0020 } /* LegalCopyright CopyrightCEldoSCorporation */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "03cc80bd-699d-5c23-9acc-a523fa3110f3"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_F6CD {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "40d54ac5-209a-5f0e-b799-f492b7fcc973"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_2594 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "3d265316-2b94-581a-b44a-fe015d316eff"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_6BEF {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63"
|
||
|
|
hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775"
|
||
|
|
hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22"
|
||
|
|
hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26"
|
||
|
|
hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0"
|
||
|
|
hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578"
|
||
|
|
hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "957addda-818b-504f-98b4-63fdfed768b4"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_45BA {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RwDrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a"
|
||
|
|
hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf"
|
||
|
|
hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d"
|
||
|
|
hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe"
|
||
|
|
hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "c9279259-59ab-5816-aa59-4d8d53f95793"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200770044007200760020004400720069007600650072 } /* ProductName RwDrvDriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_5C0B {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vmdrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921"
|
||
|
|
hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351"
|
||
|
|
hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "20989ad0-08b4-5fe0-b4cc-9846bdf4bb89"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* InternalName vmdrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* OriginalFilename vmdrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200056006f006900630065006d006f006400200053002e004c002e0032003000310030002d0032003000320030 } /* LegalCopyright CopyrightCVoicemodSL */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_A130 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433"
|
||
|
|
hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "c810bb03-5e0d-501a-af32-66a5f73b410e"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003800200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD4 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "0cf3d047-c497-5957-b0d3-717220393501"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_88E2 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc"
|
||
|
|
hash = "f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478"
|
||
|
|
hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7"
|
||
|
|
hash = "3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a"
|
||
|
|
hash = "d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476"
|
||
|
|
hash = "e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06"
|
||
|
|
hash = "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa"
|
||
|
|
hash = "6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7"
|
||
|
|
hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879"
|
||
|
|
hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd"
|
||
|
|
hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "e6f3c13e-0cec-5430-beeb-fc980dd29887"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_1F4D {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c"
|
||
|
|
hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e"
|
||
|
|
hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e"
|
||
|
|
hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b"
|
||
|
|
hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c"
|
||
|
|
hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036"
|
||
|
|
hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "145b846a-8721-5a56-aa76-6d7d5dd16562"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Novellinc_Novellxtier_B50F {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e"
|
||
|
|
hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "fc6032d2-ef08-5fdb-be73-39dd42185b13"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5"
|
||
|
|
hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "370f3fc6-6199-5c19-a0b5-8c02fb89f30a"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d00320030003000380020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwritedriver_21CC {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwRwDrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "fa8e9fd9-7d07-5e05-a8d0-3769b9dd9157"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f0077007300ae002000770069006e006f007700730020003700200064007200690076006500720020006b006900740073002000700072006f00760069006400650072 } /* CompanyName Windowswinowsdriverkitsprovider */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* InternalName HwRwDrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* ProductName Hardwarereadwritedriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* OriginalFilename HwRwDrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightMicrosoftCorporationAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "25dc4405-52ae-51f9-9afd-49f2a9fcaa08"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "25893130-a0b5-5c5c-b7d2-e22bf8eec311"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Monitor_win10_x64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "65b75be5-98a2-56ca-bb4a-cfd0c6871c0e"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00310031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* InternalName Monitorsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e006300650064002000530079007300740065006d0043006100720065 } /* ProductName AdvancedSystemCare */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* OriginalFilename Monitorsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PhlashNT.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "7c0b1c20-b3ef-56e9-b2e2-e2542c7a85e3"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073002c0020004c00740064002e } /* CompanyName PhoenixTechnologiesLtd */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0031002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e0031002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500048004c004100530048004e0054 } /* InternalName PHLASHNT */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00500068006c006100730068 } /* ProductName WinPhlash */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500048004c004100530048004e0054002e005300590053 } /* OriginalFilename PHLASHNTSYS */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800630029002000500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073002c0020004c00740064002e00200032003000300030002d0032003000300033 } /* LegalCopyright cPhoenixTechnologiesLtd */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "3b631d10-d727-53f8-8f56-87695e305198"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "f1f06952-1500-57af-8486-eb127a90b110"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f"
|
||
|
|
hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba"
|
||
|
|
hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15"
|
||
|
|
hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c"
|
||
|
|
hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6"
|
||
|
|
hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512"
|
||
|
|
hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe"
|
||
|
|
hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc"
|
||
|
|
hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1"
|
||
|
|
hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758"
|
||
|
|
hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90"
|
||
|
|
hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "46f31bf7-9e9f-5fe2-95cc-1b0be823c41b"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310030002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Asustek_Driversys_Ectool_927C {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - driver7-x86-withoutdbg.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a"
|
||
|
|
hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0"
|
||
|
|
hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "4513216a-2654-5743-8550-01e82743f67a"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300740065006b } /* CompanyName ASUStek */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044007200690076006500720037002e007300790073 } /* InternalName Driversys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300200074006f006f006c } /* ProductName ECtool */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044007200690076006500720037 } /* OriginalFilename Driver */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020 } /* LegalCopyright Copyright */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "61555f9e-6caf-5c8c-b4ee-01046e04f744"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "12d08eab-49f0-5d40-bd2d-1a4834deaef1"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000330033 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "06a605d6-893e-5ee7-a3d7-bfb128363b81"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003100200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb"
|
||
|
|
hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65"
|
||
|
|
hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "eb5f5339-f11a-5502-8feb-4bfbd4698a31"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f002000640072006900760065007200200066006c0065 } /* ProductName BIOSTARIOdriverfle */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f0049003200630049006f002e007300790073 } /* OriginalFilename BSIcIosys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300036002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprovider_C9CF {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mtcBSv64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "36fcbeca-f19e-54b8-9687-121bd9809e9d"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* OriginalFilename mtcBSvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "7b5d5036-d7ec-5722-a18c-9ccaeea8088e"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310033 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003700200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viraglt64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "5ea684cc-982c-5056-9e80-26fe74cb3a64"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Pancafemanager_0650 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFltX64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "bc354ed5-befe-5421-9dbe-a5faef0cfa4a"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* InternalName PanMonFltXsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* OriginalFilename PanMonFltXsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "a54ff7bf-30a8-5cfc-aaca-a172bee2062b"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Novellinc_Novellxtier_6C71 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ncpl.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44"
|
||
|
|
hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "730567f0-ae1e-5d8d-a9e6-df176faf4878"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Bsmisys_5962 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMIXP64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347"
|
||
|
|
hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "86a0715c-4f0b-52ba-b6dc-44bd4499a222"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420053004d0049002e007300790073 } /* InternalName BSMIsys */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053004d0049002e007300790073 } /* OriginalFilename BSMIsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000420049004f005300540041005200200043006f00720070002e00200032003000310031 } /* LegalCopyright CopyrightCBIOSTARCorp */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_99F4 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1"
|
||
|
|
hash = "56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7"
|
||
|
|
hash = "c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8"
|
||
|
|
hash = "50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793"
|
||
|
|
hash = "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449"
|
||
|
|
hash = "6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4"
|
||
|
|
hash = "cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb"
|
||
|
|
hash = "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530"
|
||
|
|
hash = "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5"
|
||
|
|
hash = "fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03"
|
||
|
|
hash = "9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6"
|
||
|
|
hash = "f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d"
|
||
|
|
hash = "131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6"
|
||
|
|
hash = "e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2"
|
||
|
|
hash = "89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be"
|
||
|
|
hash = "18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805"
|
||
|
|
hash = "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504"
|
||
|
|
hash = "79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57"
|
||
|
|
hash = "952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4"
|
||
|
|
hash = "101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558"
|
||
|
|
hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e"
|
||
|
|
hash = "85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94"
|
||
|
|
hash = "b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d"
|
||
|
|
hash = "d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482"
|
||
|
|
hash = "984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7"
|
||
|
|
hash = "e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1"
|
||
|
|
hash = "a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499"
|
||
|
|
hash = "a9706e320179993dade519a83061477ace195daa1b788662825484813001f526"
|
||
|
|
hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005"
|
||
|
|
hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a"
|
||
|
|
hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "b1168895-eef9-5dfc-9b19-b3e0e302586d"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43"
|
||
|
|
hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf"
|
||
|
|
hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "6820d35b-66a3-512f-a734-0adefbf6a183"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310033002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntamfnbvctvcbmftwc_5F5E {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Bs_Def.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be"
|
||
|
|
hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5"
|
||
|
|
hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3"
|
||
|
|
hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "e4e1fc9a-b453-5996-8675-7accb0de023e"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100730075007300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName AsusTekComputerInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320034 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* InternalName BsDefsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007500700070006f0072007400200053005300540033003900530046003000320030002c0053005300540032003900450045003000320030002c004100540034003900460030003000320054002c00410054003200390043003000320030002c0041004d003200390046003000300032004e0054002c0041004d003200390046003000300032004e0042002c0056003200390043003500310030003000320054002c0056003200390043003500310030003000320042002c004d0032003900460030003000320054002c0057003200390043003000320030002e } /* ProductName SupportSSTSFSSTEEATFTATCAMFNTAMFNBVCTVCBMFTWC */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* OriginalFilename BsDefsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004100730075007300540065006b00200043006f006d00700075007400650072002e00200031003900390032002d0032003000300034 } /* LegalCopyright CopyrightCAsusTekComputer */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibrary_6B83 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIOx64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "c5eec4c9-0210-5e0e-b819-96a6943f270d"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* InternalName PanIOxsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* OriginalFilename PanIOxsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486"
|
||
|
|
hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961"
|
||
|
|
hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "85b7f3f1-6324-543f-8855-8cb13096b367"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310032002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "db7c877e-4b76-5b66-8a4f-a33cb7c76d5a"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "c6298a6f-761c-5e78-b97c-9713b29b0e00"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006e0054006500630068002000540061006900770061006e } /* CompanyName EnTechTaiwan */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065003600340061002e007300790073 } /* InternalName seasys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0073006f006600740045006e00670069006e0065002d007800360034 } /* ProductName softEnginex */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065003600340061002e007300790073 } /* OriginalFilename seasys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200045006e0054006500630068002000540061006900770061006e002c00200032003000300034002d0032003000300036002e } /* LegalCopyright CopyrightcEnTechTaiwan */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B54 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "87caf882-a59a-55ca-89ce-a2c2115a1e50"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "323e0a63-c74c-5d9c-b3af-c64d2bceb724"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039"
|
||
|
|
hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "2c945052-bb7b-52be-9c11-18eedac5a28e"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000360035 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 500KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Zemanaltd_Zam_8FE9 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "45ac5fe9-25e2-5ee9-a410-95d19ec75e33"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003100310035 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_4932 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668"
|
||
|
|
hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e"
|
||
|
|
hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98"
|
||
|
|
hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "6fa00211-cb55-5870-92ec-18a6e2c7eb89"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3D9E {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "023a5c66-aae0-5583-95aa-0a62f3f27352"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250"
|
||
|
|
hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "fbe65027-5e7a-5944-bd8a-c0673cd165a1"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0"
|
||
|
|
hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "89160c3c-ff81-5425-a205-09be7fd5a412"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0"
|
||
|
|
hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "e66960f5-d39e-5b0b-b573-77ffeb276925"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003000390039 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 500KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Yyinc_Dianhu_80CB {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Dh_Kernel_10.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3"
|
||
|
|
hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "166a402d-9679-54b8-9703-3e3b2b001236"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0059005900200049006e0063002e } /* CompanyName YYInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006400690061006e00680075 } /* ProductName dianhu */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d003200300031003700200059005900200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightYYIncAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00"
|
||
|
|
hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "6a773b61-ac40-5cdd-ad93-0b16061587f7"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "b68851b2-66b6-5b8a-9aaa-918a34934a92"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "b4f581f6-66e5-5b85-9b2d-b1532dd2defe"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_47EA {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84"
|
||
|
|
hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "b14e5697-a0f7-5af0-a0da-0f5ca2d88c1c"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "b9a6e1e6-1bc5-587f-a31f-8dc55568ad9e"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310035002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_909D {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "8dcbf930-ae97-5389-9b68-793dc82b042b"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173"
|
||
|
|
hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7"
|
||
|
|
hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "f5e53c71-1c12-5df8-a2cc-563473190c87"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e } /* CompanyName ATITechnologiesInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004900200044006900610067006e006f00730074006900630073 } /* ProductName ATIDiagnostics */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e002c00200032003000300033 } /* LegalCopyright CopyrightCATITechnologiesInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD4 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "6ee8fb67-896d-534f-9602-a0f46a43e5cd"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Novellinc_Novellxtier_E16D {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48"
|
||
|
|
hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790"
|
||
|
|
hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a"
|
||
|
|
hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "73d525b8-d109-5872-8841-b1c5149f732e"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "25f27f08-3aab-5b8f-bf59-37a40de4fb44"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000370037 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "d8d61d0b-d859-5e7e-9ef6-b232ab499560"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100310033 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6FB5 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "a9926e8c-f504-5926-8be0-e4e9ccf3b971"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_3943 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv106.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838"
|
||
|
|
hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9"
|
||
|
|
hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d"
|
||
|
|
hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7"
|
||
|
|
hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c"
|
||
|
|
hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b"
|
||
|
|
hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "b35951c3-d0df-5a4d-8c81-333adee6310e"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "cfc5dca9-7ccc-590e-a79e-07f13cbbb080"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079 } /* CompanyName HPDevelopmentCompany */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* InternalName etdsuppsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048005000200045005400440069002000440072006900760065007200200044004c004c } /* ProductName HPETDiDriverDLL */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* OriginalFilename etdsuppsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200031003900390031002d00320030003200320020004800650077006c006500740074002d005000610063006b00610072006400200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079002c0020004c002e0050002e } /* LegalCopyright CCopyrightHewlettPackardDevelopmentCompanyLP */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "9610cbd7-8521-54ea-a4db-c6d26048fb4b"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310036 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Agent64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca"
|
||
|
|
hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f"
|
||
|
|
hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa"
|
||
|
|
hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414"
|
||
|
|
hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "41ccdc0b-ec41-51b3-9039-bf5206f9a79f"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073 } /* CompanyName PhoenixTechnologies */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* InternalName Agentsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004400720069007600650072004100670065006e0074 } /* ProductName DriverAgent */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* OriginalFilename Agentsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0045006e0054006500630068002000540061006900770061006e002c00200031003900390037002d0032003000300039 } /* LegalCopyright EnTechTaiwan */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "1ee0136e-73bc-5b88-ae0b-74f3f53fe93f"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Novellinc_Novellxtier_904E {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.SYS"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a"
|
||
|
|
hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "e9506ae9-b5ea-5ed7-a126-1b6070df89d0"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "b6ebdc92-1ca5-5f13-beef-d6adf037e732"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_2A65 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrIbDrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a"
|
||
|
|
hash = "3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de"
|
||
|
|
hash = "2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f"
|
||
|
|
hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc"
|
||
|
|
hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb"
|
||
|
|
hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "f98969ca-e570-5f95-93d8-5b73fc3221fd"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* ProductName RWEverythingReadWriteDriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "e46d3ca0-a605-503d-86ac-67ac7ac8c7cc"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000340037 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D0 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "9d4595ab-29a2-5b71-b03b-9730db4eadca"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_7795 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "77955af8a8bcea8998f4046c2f8534f6fb1959c71de049ca2f4298ba47d8f23a"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "28b6dde3-fb27-535d-b948-aafb2b95e1f4"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003200200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "9dd62c3a-8f3c-5df0-a6a2-fcaa72c4ed16"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancafemanager_7E01 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFlt.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "1d9363a1-e32e-5989-8777-6e530efa6a55"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* InternalName PanMonFltsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* OriginalFilename PanMonFltsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagnostics_F05B {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LenovoDiagnosticsDriver.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "791da32a-272c-5bde-9722-cc4c68321ad7"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c0065006e006f0076006f002000470072006f007500700020004c0069006d00690074006500640020002800520029 } /* CompanyName LenovoGroupLimitedR */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* InternalName LenovoDiagnosticsDriversys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073 } /* ProductName LenovoDiagnostics */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* OriginalFilename LenovoDiagnosticsDriversys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000320030003200310020004c0065006e006f0076006f002000470072006f007500700020004c0069006d0069007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright LenovoGroupLimitedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Dell_Dbutil_71FE {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "172e8e13-e1ff-5caf-9759-d607ef072215"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440065006c006c } /* CompanyName Dell */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0037002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440042005500740069006c } /* ProductName DBUtil */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000320031002000440065006c006c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e0020 } /* LegalCopyright DellIncAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Atszio_Atsziodriver_673B {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b"
|
||
|
|
hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "bcd5bc05-5e71-5491-be7d-94cdbebddd9f"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f } /* InternalName ATSZIO */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030 } /* LegalCopyright CopyrightC */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - asmmap64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "68572e19-5b92-57fb-b301-0224e00139cd"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005300550053 } /* CompanyName ASUS */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* InternalName asmmapsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004b002000470065006e0065007200690063002000460075006e006300740069006f006e00200053006500720076006900630065 } /* ProductName ATKGenericFunctionService */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* OriginalFilename asmmapsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039 } /* LegalCopyright CopyrightC */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Novellinc_Novellxtier_FB81 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f"
|
||
|
|
hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22"
|
||
|
|
hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "ba5a060c-e889-5f23-9938-7fbfceaae7af"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "1d9df905-34d9-5503-b08d-ea4ff2cd826a"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_23BA {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LHA.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade"
|
||
|
|
hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "8af33121-526d-5f4c-8cde-6e427f36ad97"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c004700200045006c0065006300740072006f006e00690063007300200049006e0063002e } /* CompanyName LGElectronicsInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00480041002e007300790073 } /* InternalName LHAsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00480041002e007300790073 } /* OriginalFilename LHAsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0075006c00740072006100620069006f007300400068006f0074006d00610069006c002e0063006f006d } /* LegalCopyright ultrabioshotmailcom */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "50e671ec-752c-5494-97bc-bd29cd7452f1"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f0067004d00650049006e002c00200049006e0063002e } /* CompanyName LogMeInInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* InternalName LMIinfosys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f0067004d00650049006e } /* ProductName LogMeIn */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* OriginalFilename LMIinfosys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033002d00320030003100370020004c006f0067004d00650049006e002c00200049006e0063002e00200050006100740065006e00740065006400200061006e006400200070006100740065006e00740073002000700065006e00640069006e0067002e } /* LegalCopyright CopyrightLogMeInIncPatentedandpatentspending */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "35330a4b-841a-5e61-b8c1-5e02f61ec021"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "a688139a-c44f-5a93-933d-73369facec6c"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BCED {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "25dd8cda-6aa3-595c-8502-cc83e04b8235"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e00330030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e00330030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300035 } /* LegalCopyright CopyrightCMRussinovich */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "48446c71-f353-5f4f-a158-20bc7dec694f"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "c1e8abd1-14c1-5ddd-87cb-647dfcc652fd"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0032 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "b578c798-3923-51b7-80c7-b4e123dc8747"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310038 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "a1210220-529b-5103-888f-aaa707040eee"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053006100660065004e00650074002c00200049006e0063002e } /* CompanyName SafeNetInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048006f00730074006e0074 } /* InternalName Hostnt */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006f00730074006e0074 } /* ProductName Hostnt */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048006f00730074006e0074002e007300790073 } /* OriginalFilename Hostntsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000200053006100660065004e00650074002c00200049006e0063002e } /* LegalCopyright CopyrightCSafeNetInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "a8c05c92-a133-5f8f-bc4e-ff7e21f262e0"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Zemanaltd_Zam_7CB5 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "4af76d57-3f28-5d80-b72a-796f65942488"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_2AA1 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "78768248-afa1-5e3c-a9cd-c9ab73ea4f74"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd"
|
||
|
|
hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "ef15eec0-caf8-58e9-9c63-cfee3275253d"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000370030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Novellinc_Novellxtier_2899 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7"
|
||
|
|
hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "f1b0bccc-950b-5039-b181-fe4cee4e84b1"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "534b26bd-7298-5e16-ba49-f48b1bc405d7"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000370038 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 500KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "b0799b63-2938-586a-8a10-c3d9916b3d01"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100300034 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c"
|
||
|
|
hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2"
|
||
|
|
hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88"
|
||
|
|
hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "9b4f6fc7-e597-5efd-9a85-6fd63fa9844b"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310035002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriver_22BE {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - speedfan.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "c683be43-e577-5248-8a28-b13dbefd7f91"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* InternalName speedfansys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* OriginalFilename speedfansys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "94026bd4-e66c-551c-b054-b3b5191a5bb2"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "888a2b05-46c1-54b2-a996-14fb9fae5779"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "106afe18-1312-559d-87f5-319d67d36435"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_075D {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85"
|
||
|
|
hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "e58174ba-c931-549b-bf5d-bdc9aeb362cc"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00330032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00330032 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320030 } /* LegalCopyright CopyrightCMarkRussinovich */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_AE42 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471"
|
||
|
|
hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2"
|
||
|
|
hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "65c75c41-8edb-526b-b0e8-73eea5cb7502"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003300200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00330020007800360034 } /* ProductVersion x */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0033 } /* ProductName MsIoDriverVersion */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "1305b627-146c-5ec6-9e27-abac84f5a2f4"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "24415567-6904-52b1-964d-1a0a4aefe08e"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee"
|
||
|
|
hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "208dd67e-2d2d-5104-a497-1311cea9e223"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034 } /* ProductName NTIOLibX */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_6BFC {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e"
|
||
|
|
hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc"
|
||
|
|
hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "c5104fcb-7d6a-54dc-a79e-366f16ecd8a0"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310031 } /* LegalCopyright CopyrightCMRussinovich */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7A48 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "7c796850-8413-53b0-bbbd-4991c1af6626"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Zemanaltd_Zam_45F4 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "56dc2fa5-c19c-5a77-9590-e7a957ccb27f"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003800360035 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4D05 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee"
|
||
|
|
hash = "77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9"
|
||
|
|
hash = "cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c"
|
||
|
|
hash = "b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5"
|
||
|
|
hash = "ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7"
|
||
|
|
hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5"
|
||
|
|
hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572"
|
||
|
|
hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "e52c22aa-347f-5618-93b8-b4dab3f04b35"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300030003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "57b41ebc-6c75-5ba3-b2fc-0bb50e92207b"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "8242879f-ce39-5f05-b43e-ec2c6b185e82"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100300036 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "e655289a-61d1-5908-b495-ce2c00caae3c"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3070 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "38ae805f-4be8-526f-b3b3-d644b05c2b25"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CC58 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "cfb96174-106f-5ad0-875b-1be75f70ce51"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodenamelonghornddkdriver_916C {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677"
|
||
|
|
hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab"
|
||
|
|
hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "346488b2-5390-528e-8d54-5ed3dbc6e322"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* InternalName rtkiosys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* OriginalFilename rtkiosys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "b0ef62c7-b223-5d70-883d-1a6a3d28dc0d"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000350038 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "32559d4c-eef4-5b67-a74c-f89589bc446b"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* InternalName CupFixerxsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* OriginalFilename CupFixerxsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "1c0669aa-b156-580f-9bb0-d69502af6a7f"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390036 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390036 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000370020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "4dc89f62-c0e0-5abf-9774-3ca21f8a1d8e"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000390038 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "8b2fbab4-4b54-57dc-9591-1d993e844dc0"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* InternalName IOMapsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* ProductName ASUSKernelModeDriverforNT */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* OriginalFilename IOMapsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003100300020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "71c7a688-d20a-57c3-b4c5-b8344e936900"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E452 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "15332784-229c-5b5e-b06c-2ea6cff64113"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa"
|
||
|
|
hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "2a470258-2ec1-5d80-8ce8-d8f83a27c365"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003200310020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mydrivers.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "a944a7a1-f938-548e-8788-a4733d777850"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00790044007200690076006500720073002e0063006f006d } /* CompanyName MyDriverscom */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0032002e003700300037002e0031003200310034 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032003000310036002e0037002e0037002e0031003200310034 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480057004d } /* InternalName HWM */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440072006900760065007200470065006e006900750073 } /* ProductName DriverGenius */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d00790064007200690076006500720073002e007300790073 } /* OriginalFilename mydriverssys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020004d00790044007200690076006500720073002e0063006f006d00200061006c006c002000720069006700680074 } /* LegalCopyright CopyrightMyDriverscomallright */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "5e116c70-6da1-5397-9b73-32955086c886"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Powertool_Kevpsys_Powertool_8E63 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f"
|
||
|
|
hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184"
|
||
|
|
hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "0010c121-11bb-5068-a06d-aa136e5af0ad"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "d2e411b6-da38-5ff0-a24a-78064a5fafcf"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b"
|
||
|
|
hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "ab7574a5-acba-5e3d-9259-e5833d43d195"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320039 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "d776ad80-318f-5e3c-b006-daa70a14aff4"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "1d73baba-017c-527d-9eb8-0eb9865656b6"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370038 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E0 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "11164331-fdba-5e7d-a2ea-4621b438060a"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "81712338-7518-565a-8004-4708808d93ee"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Zemanaltd_Zam_3C18 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "94b7a58c-0092-5d81-985f-330599efe25a"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003900320038 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "a337e8f1-1473-51a4-9098-69719f0c48e4"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "b29e4411-a408-5bd5-a763-73c18b85e2b2"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "7754e086-1936-5e47-9576-ee940453c5e7"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0035002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0035002e0031002e0031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300036002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1B00 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e"
|
||
|
|
hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "d29981ff-6c7b-55fb-a77e-c16755e988ab"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FairplayKD.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "a7059f0e-ae46-506f-a3c0-8ecb6911cd1d"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0075006c007400690020005400680065006600740020004100750074006f } /* CompanyName MultiTheftAuto */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00540041002000530061006e00200041006e00640072006500610073 } /* ProductName MTASanAndreas */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003000330020002d002000320030003100370020004d0075006c007400690020005400680065006600740020004100750074006f } /* LegalCopyright CMultiTheftAuto */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "ec2c7c9f-d4cd-5497-9de5-4948767ba125"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "28e934c7-1705-5dd7-967f-ac259af3809e"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "394be6fa-5c49-5af2-ac20-d0da0ffe7624"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "3778fe25-a5d5-5cb0-8f03-9ceed5d71aa9"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100300031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 500KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "f523949b-aff9-532a-9f13-983f4a47635d"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibrary_F596 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "098abff0-1471-5793-8366-89df85dc216c"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "4d79b72a-0848-5fe4-89fe-b16ab03d18d3"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_9A54 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "17496639-ec11-519b-8143-2d43568e09cd"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandports_4E3E {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - otipcibus.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "71052609-e8a3-5611-ad92-8cf43a0fddf0"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00540069 } /* CompanyName OTi */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* InternalName otipcibussys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200054006f002000410063006300650073007300200050006800790073006900630061006c0020004d0065006d006f0072007900200041006e006400200050006f007200740073 } /* ProductName KernelModeDriverToAccessPhysicalMemoryAndPorts */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* OriginalFilename otipcibussys */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "72ff75ea-c085-51bc-806e-1a43127d1c64"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "a4c49dca-e35c-5326-9b30-729ecf65653c"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName MsIoDriverVersion */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "65abda74-40d3-57c2-ade1-463b3e1ad1ef"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Pchuntersys_Pchunter_1B7F {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PCHunter.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "229e07ae-2358-5b7e-843d-a0038c57dcd0"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]4e00666e660e4e3aff0853174eacff094fe1606f6280672f67099650516c53f8 } /* CompanyName */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* InternalName PCHuntersys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050004300480075006e007400650072 } /* ProductName PCHunter */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* OriginalFilename PCHuntersys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310033002d0032003000310036002000450070006f006f006c0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CEpoolsoftCorporationAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 800KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "87ed66d7-4903-5334-9bdb-90ba882c3e98"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Novellinc_Novellxtier_8E88 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "29276926-535b-55f9-a882-845fc9561513"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Zemanaltd_Zam_E428 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "3a87403b-9df1-566b-af2d-e22732584b63"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003900380034 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "e1be6d99-bee6-5208-976b-04a2fde0602b"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100300036 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_B179 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwOs2Ec7x64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de"
|
||
|
|
hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "7fdaa5bb-7874-51cc-90a0-d718b5ad7ac8"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004800750061007700650069 } /* CompanyName Huawei */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077004f0073003200450063 } /* InternalName HwOsEc */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048007500610077006500690020004d0061007400650042006f006f006b } /* ProductName HuaweiMateBook */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480077004f0073003200450063002e007300790073 } /* OriginalFilename HwOsEcsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310036 } /* LegalCopyright CopyrightC */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "ee20509d-fdf5-5c5a-8f49-5392c6f015ad"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Zemanaltd_Zam_7661 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "cf60dd6e-f13e-5498-b3e1-b28c4b469f10"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003200320039 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "158dd78f-3665-59d6-8528-f4489791d55e"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "926f0aef-ede3-554e-874d-7b617efbf2bd"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0033002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0033002e0031002e0031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "63cc2959-9cfa-575d-894f-fbb63349a4e7"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370033 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "80e3827b-44e7-5b59-a7db-c7daf0e38664"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000390031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "e2d580c9-79e6-53f1-ab4a-77e2715b6f91"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f"
|
||
|
|
hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "c367a41e-58e4-59cd-a3f4-dfcd001e7040"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* FileVersion r */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* ProductVersion r */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36"
|
||
|
|
hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "95bb049c-cef2-5235-8e3d-ebe9591b7e27"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_A072 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4"
|
||
|
|
hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b"
|
||
|
|
hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "caf170d7-172f-56eb-beae-0c40e7ac78fa"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "7c67b2a6-a2da-56ce-8ed4-017838ea7673"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "9b0770d3-d004-552f-be65-6dcc14f06cc7"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "1b3abcb0-5317-58f0-bb7a-6bc1996483fa"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* InternalName aswVmmsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00610076006100730074002100200041006e0074006900760069007200750073 } /* ProductName avastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* OriginalFilename aswVmmsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003300200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_31F4 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427"
|
||
|
|
hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38"
|
||
|
|
hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "e7728971-efb9-5c8b-8600-8f2b393d966e"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "b5062d65-a4bc-5d0e-9883-7c1fa54138e8"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037003100320030003100300031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006700640072007600360034 } /* ProductName gdrv */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_CF69 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "609554bc-0f2f-5861-ad56-fc7a772459a6"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "d5bbf94d-394a-599e-93f3-6f9d79cca02f"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340033 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340033 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "eff26fc8-a458-5c15-8a0b-86773f8f6289"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "288ce092-a3f2-57d0-9d28-a0c4b6faa52f"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000360033 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "30b7487c-d5b7-52b1-a209-f6eb01f0f406"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "9cb0be23-e1d9-5698-bde2-81a870f81f83"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100320031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0F01 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "0328757c-e561-567c-b7ad-7e6bcba19bb5"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "5ccaf486-04c4-5066-b307-e76b6e484d01"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* FileVersion r */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* ProductVersion r */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "13ee4d76-b778-593e-85e6-8402d01352e8"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "3142d323-869f-5e25-b860-da2c34f659ce"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000350032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006300740069007600650043006c00650061006e } /* ProductName ActiveClean */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3FF3 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa"
|
||
|
|
hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "ce58b5cb-437a-56b2-8ccb-9399ce2ef6c3"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00340030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00340030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "a101f69b-ca19-5aeb-a168-1a10dbd6ec12"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00300031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00300031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300037 } /* LegalCopyright CopyrightCMRussinovich */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "47963173-d9a8-5a16-9959-d99e6e8920f3"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000350036 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "9e448b85-4455-5a80-9147-e6c83b1427aa"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Copyright_Advancedmalwareprotection_6F55 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amsdk.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "6eb82ac7-9544-5554-b7af-557dd843d29d"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007000790072006900670068007400200032003000310038002e } /* CompanyName Copyright */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* ProductName AdvancedMalwareProtection */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005a0041004d002e006500780065 } /* OriginalFilename ZAMexe */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000310038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "2942b5b0-7270-5b7a-98f7-beee11e7aa57"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "f2aefc0c-b851-5341-acee-20d02c838548"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0036 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003200200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "a563b3de-1a05-55bf-ae93-03e84ef1cb26"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "abb75d3f-eeb2-5ae7-976a-3f9e8627d6ca"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* InternalName ALSysIOsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f00360034 } /* ProductName ALSysIO */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* OriginalFilename ALSysIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300031003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "2ff1ee8e-cd67-58e7-b301-e1f7712b6031"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100300020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "8a7a82a3-f24e-5887-9d95-a997179616d9"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physicalmemoryaccessdriver_C299 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - physmem.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "1759efbf-dabf-5790-a624-9e344884f98c"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048 } /* CompanyName HilscherGesellschaftfrSystemaoutomationmbH */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* InternalName physmemsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* ProductName PhysicalMemoryAccessDriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* OriginalFilename physmemsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright HilscherGesellschaftfrSystemaoutomationmbHAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_AF10 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "f80640c2-ec8d-5350-ba26-4dc6974816f2"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "55ef1733-e9e8-5c60-8461-233e4fa4f0ae"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "d2e1c8d4-b8a7-5a0d-817a-f68ddda1c652"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amp.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "a2b01649-d98b-5d99-9fb3-e9a648db62ad"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043005900520045004e00200049006e0063002e } /* CompanyName CYRENInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d0050 } /* InternalName AMP */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005900520045004e00200041004d005000200035 } /* ProductName CYRENAMP */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d0070002e007300790073 } /* OriginalFilename ampsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000310039003900390020002d00200032003000310034002e00200043005900520045004e00200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCYRENIncAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "bf870b5d-ab2d-587d-a7ce-da7a02960d2c"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300750070006500720062006d0063 } /* InternalName superbmc */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]007300750070006500720062006d0063 } /* ProductName superbmc */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300750070006500720062006d0063002e007300790073 } /* OriginalFilename superbmcsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1023 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "45f59f43-b8eb-5c58-a386-a7bb19a88253"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54"
|
||
|
|
hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "b2a52cf7-6f64-5409-8764-e26f7b9e45c8"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "df1de7d1-dd2a-5c6c-980d-a080b343f4f7"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5"
|
||
|
|
hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c"
|
||
|
|
hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f"
|
||
|
|
hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece"
|
||
|
|
hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "a7b74018-53bc-5f36-b1cd-50d87c5928e0"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "aabd529a-516f-5e7f-85e2-b7fa207b89cd"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000340039 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 500KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b"
|
||
|
|
hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "e7e01116-2971-59fd-bada-ac22cdc17670"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "9a004873-765d-5db7-87e1-8796286635e3"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000340031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "ec067130-dde8-58a8-884f-eeda3c7adf57"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "c827a2fc-e533-5113-a7e5-8ae4f5718d63"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100340030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "f683f7c5-15cb-5e1b-9d6e-4261c85a581a"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100370036 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "6ea52f09-df49-5bc4-a3bc-34a80e78b739"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "d405ca94-8b2c-57cd-b6da-8dbfd5f8d858"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100310037 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_RCIO64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "ea90277d-696d-5674-b679-9a340359e853"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f005200430049004f00360034002e007300790073 } /* OriginalFilename BSRCIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20"
|
||
|
|
hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "9c05031d-2062-53fb-982c-f874bf902b48"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* InternalName amifldrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* OriginalFilename amifldrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxdriverversion_X_F581 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpoutx64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af"
|
||
|
|
hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b"
|
||
|
|
hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "2103d553-3e8a-5f81-b54e-c125aa7746ca"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* InternalName inpoutxsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f007500740078003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutxDriverVersion */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* OriginalFilename inpoutxsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "d8599978-d388-5b67-99ff-d4bde156b433"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "6d854b08-4675-53c5-9d7f-753c94310df0"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_A334 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d"
|
||
|
|
hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "50cf8320-c182-5f59-b2a7-750c618312bf"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "14390895-6fae-5e00-9d0d-76347782873c"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003100320034 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "da911735-e7b3-5721-8254-958f25b0efa1"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00320030002e0030002e0031003000310032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00320030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IObitUnlocker.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "a9cbfdc3-6c84-5c6f-98a9-8cf77cc32d9d"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f00620069007400200049006e0066006f0072006d006100740069006f006e00200054006500630068006e006f006c006f00670079 } /* CompanyName IObitInformationTechnology */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0055006e006c006f0063006b00650072 } /* ProductName Unlocker */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_93D8 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "d300e7a0-b24b-5d52-b850-0aab145b33c5"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_358A {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "78b84e8a-1f92-5954-a1da-19d7208279db"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9B6A {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "8fc2f891-9898-551b-8a21-5222af319764"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00320037 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00320037 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310039 } /* LegalCopyright CopyrightCMarkRussinovich */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_7D43 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "6c041a1a-b6f2-50f1-a079-1a4abc0c1f37"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310034002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "77819373-6f49-56bc-8636-d25cd75491b7"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0031003000310036 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_9491 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "1ac2562c-9d06-5372-bc45-e9491a7bfeea"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_04A8 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "fa878fd1-9d19-561e-bd01-b4693a48f480"
|
||
|
|
strings:
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* InternalName ADVDRVsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f006600740052002000570069006e0064006f0077007300520020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftRWindowsROperatingSystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* OriginalFilename ADVDRVsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800430029002000460055004a00490054005300550020004c0049004d004900540045004400200032003000300035 } /* LegalCopyright CopyrightCFUJITSULIMITED */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_FF96 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "aa757ead-9ab0-5c5f-ba50-f310130e3d08"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "84866b07-19cc-5c75-acc3-7640adcf68e8"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* ProductName */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "4edbf604-a98c-5877-8385-eff85575daa4"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "6475e885-711f-53ea-9ab6-cdb45b3a0917"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0034002e003400390033002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* InternalName AMDPowerProfilersys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020007500500072006f0066 } /* ProductName AMDuProf */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* OriginalFilename AMDPowerProfilersys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020003200300032003100200041004d004400200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright AMDIncAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_074A {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "2cb53106-382d-5645-a72c-28a64112bb47"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e0032003000310037 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_98B7 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "f827cf5e-23c7-5db8-9949-14382788bbdd"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Zemanaltd_Zam_9A95 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "de7c3f85-1101-58c2-882b-e7e59d95fdd8"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003200380037 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "4e733353-21f8-5a32-b735-fccd3ffba831"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003100200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Zemanaltd_Zam_2BBC {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "171ebc5a-3e8a-5771-8960-b623f6581759"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003300370031 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Lv561av.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "3402e3fc-82be-577d-a297-fcae7539bcfc"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f00670069007400650063006800200049006e0063002e } /* CompanyName LogitechInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* InternalName Lvavsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f006700690074006500630068002000570065006200630061006d00200053006f006600740077006100720065 } /* ProductName LogitechWebcamSoftware */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* OriginalFilename Lvavsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200031003900390036002d00320030003000390020004c006f006700690074006500630068002e002000200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright cLogitechAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 600KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "2fb75598-3743-50c5-b9cf-d0e928f0c57c"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002d003200300032003100200048005000200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCHPIncAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "fd0941e8-747f-5337-aaf2-f819e32b8884"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE8 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "e7cfd1c7-bd56-5fb1-8e6a-bc49b67b7c2c"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9254 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "ac7837d9-055e-502d-a497-fe96b0aa701d"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NalDrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b"
|
||
|
|
hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "0ffa7a9b-5174-53df-a332-e8b9e460eb1b"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0037 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003300200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow10x64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "52d07201-6af3-5675-a5f0-9b6a7bb39b28"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "6db1af54-b12d-5213-b184-7df7f628882e"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003100200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00310020007800360034 } /* ProductVersion x */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0031 } /* ProductName MsIoDriverVersion */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1078 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "30ef7f0d-e6f4-5a98-87c2-286ac64c3886"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "dba48ad5-9b35-555e-814e-73b74f157b66"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "14971376-05dc-59c2-bce7-498eabb52678"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000390039 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 500KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcodenamelonghornddkdriver_159E {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WCPU.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "4ca1b53c-7539-5e0e-8309-224a4a859480"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* InternalName CPUDriver */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* OriginalFilename CPUDriver */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006200790020004100530055005300540065006b00200043004f004d0050005500540045005200200049004e0043002e00200032003000300036 } /* LegalCopyright CopyrightbyASUSTekCOMPUTERINC */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_1DDF {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "54f03573-22a0-51ea-b3cd-201d27459cf1"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "c2883a08-8832-514d-a472-e53370fe9a88"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0030002e0031003000370032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HW.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c"
|
||
|
|
hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "50ae31e8-41e0-5913-b04a-63b97aa9bbc2"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003100350020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6E0A {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "140374de-63f5-5ea2-9546-9356d697f971"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_A2F4 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "c7b13c18-84a2-5362-bd10-a80c001c6efc"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvflash.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "f8e2c69d-d3fb-58f8-bc03-3ad5ce67f0bf"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070006f0072006100740069006f006e } /* CompanyName NVIDIACorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0038002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0038002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00760066006c006100730068 } /* InternalName nvflash */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072 } /* ProductName NVIDIAFlashDriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00760066006c006100730068002e007300790073 } /* OriginalFilename nvflashsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003100370020004e0056004900440049004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CNVIDIACorporationAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "43ea92d7-a820-5ccc-b37f-05b96ead1246"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200034 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev_26F4 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "1ee8489d-ef29-5d5b-80f5-8f0a206eda3f"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100380020005000750062006c00690063002000620079002000560065006b0074006f0072002000540031003300200028007200650076002e003000350029 } /* ProductName AntidetectPublicbyVektorTrev */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100380020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "e4c649d8-941e-57d8-9193-a7e5c3de4671"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320038 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9"
|
||
|
|
hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "3bd64a09-bfa9-5b87-8048-60e61c1a61f7"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "9fc423bb-451b-52e8-ba81-7113cd1621c8"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e00310031002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e00310031002e0031002e0031 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "a1c33a78-bef9-59fc-8976-876c1fe68aff"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0031003100310038 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonitorsdriverdevelopmentedition_7877 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VProEventMonitor.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "84fa4df8-ac81-5de0-994d-9d754642a01e"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e } /* CompanyName SymantecCorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00340035003700300038 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* InternalName VProEventMonitorSys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079006d0061006e0074006500630020004500760065006e00740020004d006f006e00690074006f00720073002000440072006900760065007200200044006500760065006c006f0070006d0065006e0074002000450064006900740069006f006e } /* ProductName SymantecEventMonitorsDriverDevelopmentEdition */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* OriginalFilename VProEventMonitorSys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d0032003000300038002000530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSymantecCorporationAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Wj_Kprocesshacker_C725 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - krpocesshacker.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "53a8740a-65a5-5eb5-afc5-b86058982071"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0038 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "e9db51b4-48a2-53a9-999d-5676d0a4aa91"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "36d4d011-edf0-53e8-9665-b75520140df3"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380034 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversion_X_2121 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CtiIo64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "3cc780a4-7b9c-516e-91a1-705f785922d2"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043007200650061007400690076006500200054006500630068006e006f006c006f0067007900200049006e006e006f0076006100740069006f006e00200043006f002e002c0020004c00540064002e } /* CompanyName CreativeTechnologyInnovationCoLTd */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300020007800360034 } /* ProductVersion x */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* InternalName CtiIosys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043007400690049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0030 } /* ProductName CtiIoDriverVersion */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* OriginalFilename CtiIosys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004300540049 } /* LegalCopyright CopyrightcCTI */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysDrv3S.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "9ace902a-a3bf-56fa-8eb8-99a82c1adf0b"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00330053002d0053006d00610072007400200053006f00660074007700610072006500200053006f006c007500740069006f006e007300200047006d00620048 } /* CompanyName SSmartSoftwareSolutionsGmbH */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c0035002c0036002c0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0035002e0036002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530079007300440072007600330053 } /* InternalName SysDrvS */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079007300440072007600330053 } /* ProductName SysDrvS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530079007300440072007600330053002e007300790073 } /* OriginalFilename SysDrvSsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300036002d0032003000310034 } /* LegalCopyright Copyright */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "0501fc8b-cc72-5c03-97cf-411051119ccf"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3871 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz_x64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "ddcb8217-640d-598d-9afd-a1c15d1bbb8c"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "f4b17a75-3160-5a73-afe6-531c41fae197"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310037 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "c0a7d14e-65aa-51e1-a2c1-88a7c56dce57"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e0034002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0034002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003200200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Zemanaltd_Zam_5439 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91"
|
||
|
|
hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "f35db7b6-8a4b-5c26-9e00-da5c1c7780e8"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320031002e00360033 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_30AB {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "cd4dd891-8d86-5afa-83ed-1ad0997608de"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00330030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00330030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300038 } /* LegalCopyright CopyrightCMRussinovich */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Zemanaltd_Zam_DE8F {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "245da08c-d629-53cb-83fb-476f4fdd1512"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003100300034 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "19673477-eb54-52d7-886e-ebf3216aa77b"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007000680079006d0065006d } /* InternalName phymem */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]007000680079006d0065006d } /* ProductName phymem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007000680079006d0065006d002e007300790073 } /* OriginalFilename phymemsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_16A2 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1"
|
||
|
|
hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "826ee893-06af-5dee-9436-ec3ea7ddd8d9"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340032 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340032 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "e80a43d2-d96f-5fed-a5e1-3e1ea617542a"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 400KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "b4cef531-b146-5c20-b429-a90beaad5712"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* FileVersion r */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* ProductVersion r */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "44e2c561-b9f4-5840-9e0c-53ffee5a3bd1"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500069006e00640075006f00640075006f0020004c0074006400200043006f00720070 } /* CompanyName PinduoduoLtdCorp */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500069006e00640075006f00640075006f00200053006500630075007200650020005600440049 } /* ProductName PinduoduoSecureVDI */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d0032003000320031002000500069006e00640075006f00640075006f00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCPinduoduoCorporation */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 1000KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "c3b0b3b0-9281-5d90-bf26-6c4c46c4143b"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_8CFD {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "4affbef6-26ac-5087-a881-32fad34fd192"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "9994e1c0-b86b-578d-8002-554584e1de2b"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Wj_Kprocesshacker_7021 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "dd2a2bfd-12be-5cdb-8293-c51220015bd9"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030 } /* ProductVersion */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "2d26b107-7fcb-5acd-94e4-ed18c399ad66"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00320030002e0030002e0031003000300038 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00320030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_HWMIO64_W10.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "ea157129-3347-5ba0-a115-928b4aef345f"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f00480057004d0049004f00360034005f005700310030002e007300790073 } /* OriginalFilename BSHWMIOWsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "ec02c434-7918-5212-85f6-5ee417940b7c"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 300KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "04fdd9f7-605b-54ee-849d-44a50ef732d2"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0032002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0032002e0037 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "a1b5efd0-2dd2-5c54-86b6-12684d6ea56b"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "0e696bff-b5da-5116-a5a7-341b6c3098b8"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 100KB and all of them
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
rule PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 {
|
||
|
|
meta:
|
||
|
|
description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
|
||
|
|
author = "Florian Roth"
|
||
|
|
reference = "https://github.com/magicsword-io/LOLDrivers"
|
||
|
|
hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba"
|
||
|
|
date = "2023-06-14"
|
||
|
|
score = 40
|
||
|
|
id = "bde91bb0-9211-5fea-b725-d556c5a3ccc9"
|
||
|
|
strings:
|
||
|
|
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
|
||
|
|
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
|
||
|
|
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* FileVersion */
|
||
|
|
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* ProductVersion */
|
||
|
|
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
|
||
|
|
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
|
||
|
|
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
|
||
|
|
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
|
||
|
|
condition:
|
||
|
|
uint16(0) == 0x5a4d and filesize < 200KB and all of them
|
||
|
|
}
|