Sneed-Reactivity/yara-Neo23x0/yara-rules_vuln_drivers_strict_renamed.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

6831 lines
576 KiB
Text

rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3"
hash = "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02"
hash = "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe"
hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa"
date = "2023-06-14"
score = 70
id = "1dadf1a5-6eea-5d47-be5e-9c93bf23f49a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310037002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
}
rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_D7E0 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0"
date = "2023-06-14"
score = 70
id = "c9596048-1bc9-5d4f-8c34-97494f2d4e9e"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310031002e0031002e003500310030 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
}
rule PUA_VULN_Renamed_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elrawdsk.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6"
hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a"
date = "2023-06-14"
score = 70
id = "299e1312-e4ff-5152-a046-b020c825df5a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200610077004400690073006b0020004400720069007600650072002e00200041006c006c006f00770073002000770072006900740065002000610063006300650073007300200074006f002000660069006c0065007300200061006e006400200072006100770020006400690073006b00200073006500630074006f0072007300200066006f0072002000750073006500720020006d006f006400650020006100700070006c00690063006100740069006f006e007300200069006e002000570069006e0064006f007700730020003200300030003000200061006e00640020006c0061007400650072002e } /* FileDescription RawDiskDriverAllowswriteaccesstofilesandrawdisksectorsforusermodeapplicationsinWindowsandlater */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c0064006f005300200043006f00720070006f0072006100740069006f006e } /* CompanyName EldoSCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c0020003100300036 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200031002c002000320037002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* InternalName elrawdsksys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200610077004400690073006b } /* ProductName RawDisk */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065006c00720061007700640073006b002e007300790073 } /* OriginalFilename elrawdsksys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d0032003000310031002c00200045006c0064006f005300200043006f00720070006f0072006100740069006f006e0020 } /* LegalCopyright CopyrightCEldoSCorporation */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elrawdsk/i
}
rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_81AA {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0"
date = "2023-06-14"
score = 70
id = "0854ee57-7214-5959-86be-afd26950432c"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i
}
rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_F6CD {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f"
date = "2023-06-14"
score = 70
id = "e14e96ea-42e6-5946-9237-a16f9c072d2c"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_2594 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2"
date = "2023-06-14"
score = 70
id = "1af90e2a-a7b8-5ae0-98a4-ffe0543cda9c"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800360030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_6BEF {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63"
hash = "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775"
hash = "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22"
hash = "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26"
hash = "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0"
hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578"
hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad"
date = "2023-06-14"
score = 70
id = "9a0e6700-1e63-5d7d-b255-d8492162395c"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310034002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
}
rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_45BA {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RwDrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a"
hash = "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf"
hash = "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d"
hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe"
hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3"
date = "2023-06-14"
score = 70
id = "8790783a-921d-513e-9df5-6565e6f6709f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200770044007200760020004400720069007600650072 } /* FileDescription RwDrvDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200770044007200760020004400720069007600650072 } /* ProductName RwDrvDriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /RwDrv/i
}
rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdriver_5C0B {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vmdrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921"
hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351"
hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3"
date = "2023-06-14"
score = 70
id = "0d3a77dc-c2c8-5741-b574-e3a1afe4e43d"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0056006f006900630065006d006f00640020005600690072007400750061006c00200041007500640069006f00200044006500760069006300650020002800570044004d0029 } /* FileDescription VoicemodVirtualAudioDeviceWDM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* InternalName vmdrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0076006d006400720076002e007300790073 } /* OriginalFilename vmdrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200056006f006900630065006d006f006400200053002e004c002e0032003000310030002d0032003000320030 } /* LegalCopyright CopyrightCVoicemodSL */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /vmdrv/i
}
rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_A130 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433"
hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d"
date = "2023-06-14"
score = 70
id = "ed7c99d8-ba92-53fa-b633-e64e5d7fe5a3"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003800200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_5BD4 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c"
date = "2023-06-14"
score = 70
id = "353bb544-18f6-5c1b-b100-b2ddb55c3cc2"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_88E2 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc"
hash = "f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478"
hash = "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7"
hash = "3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a"
hash = "d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476"
hash = "e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06"
hash = "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa"
hash = "6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7"
hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879"
hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd"
hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2"
date = "2023-06-14"
score = 70
id = "c36713ac-c8f2-5061-8d1e-42a5c33a60e9"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
}
rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdriver_1F4D {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c"
hash = "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e"
hash = "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e"
hash = "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b"
hash = "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c"
hash = "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036"
hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289"
date = "2023-06-14"
score = 70
id = "4b16ba1a-e7d7-500b-8ebc-aac1561a22f5"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
}
rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_B50F {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e"
hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b"
date = "2023-06-14"
score = 70
id = "5d7314e6-51aa-5220-9aa2-6d6c826550bb"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i
}
rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_11BD {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0x64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5"
hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062"
date = "2023-06-14"
score = 70
id = "7f7ebb0c-bb5a-5585-80d9-9638233554a3"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300037002d00320030003000380020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WinRing0x64/i
}
rule PUA_VULN_Renamed_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardwarereadwritedriver_21CC {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwRwDrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21"
date = "2023-06-14"
score = 70
id = "5b426649-d516-5dcd-964d-968ebf0cce24"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* FileDescription Hardwarereadwritedriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f0077007300ae002000770069006e006f007700730020003700200064007200690076006500720020006b006900740073002000700072006f00760069006400650072 } /* CompanyName Windowswinowsdriverkitsprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0035002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* InternalName HwRwDrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006100720064007700610072006500200072006500610064002000260020007700720069007400650020006400720069007600650072 } /* ProductName Hardwarereadwritedriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048007700520077004400720076002e007300790073 } /* OriginalFilename HwRwDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightMicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HwRwDrv/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833"
date = "2023-06-14"
score = 70
id = "1b982901-3e6b-5aa6-8720-8d9305350dc7"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0036002e003100300037002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3124 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5"
date = "2023-06-14"
score = 70
id = "e3bcd228-a606-585f-a2fc-b4113ee87708"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004600720065007100750065006e00630079005f00430043 } /* FileDescription NTIOLibforMSIFrequencyCC */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
}
rule PUA_VULN_Renamed_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Monitor_win10_x64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb"
date = "2023-06-14"
score = 70
id = "052f73e5-4140-5d25-85d7-3e69937edb29"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049004f006200690074002000540065006d007000650072006100740075007200650020004d006f006e00690074006f0072 } /* FileDescription IObitTemperatureMonitor */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f006200690074 } /* CompanyName IObit */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e00310031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* InternalName Monitorsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e006300650064002000530079007300740065006d0043006100720065 } /* ProductName AdvancedSystemCare */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d006f006e00690074006f0072002e007300790073 } /* OriginalFilename Monitorsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Monitor_win10_x64/i
}
rule PUA_VULN_Renamed_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PhlashNT.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890"
date = "2023-06-14"
score = 70
id = "d60b5524-2fc9-52d4-8911-57bf41fc47a8"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300570069006e0046006c006100730068002000440072006900760065007200200066006f0072002000570069006e0064006f007700730020004e0054 } /* FileDescription SWinFlashDriverforWindowsNT */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073002c0020004c00740064002e } /* CompanyName PhoenixTechnologiesLtd */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0031002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036002e0031002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500048004c004100530048004e0054 } /* InternalName PHLASHNT */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00500068006c006100730068 } /* ProductName WinPhlash */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500048004c004100530048004e0054002e005300590053 } /* OriginalFilename PHLASHNTSYS */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800630029002000500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073002c0020004c00740064002e00200032003000300030002d0032003000300033 } /* LegalCopyright cPhoenixTechnologiesLtd */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PhlashNT/i
}
rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d"
date = "2023-06-14"
score = 70
id = "a197bb49-05c6-5f73-a598-2df9ff503ffa"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0038002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ALSysIO64/i
}
rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_133E {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743"
date = "2023-06-14"
score = 70
id = "e94c3003-24cc-5dfd-baf1-7377497a4b16"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i
}
rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f"
hash = "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba"
hash = "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15"
hash = "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c"
hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6"
hash = "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512"
hash = "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe"
hash = "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc"
hash = "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1"
hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758"
hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90"
hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b"
date = "2023-06-14"
score = 70
id = "4de41d13-ffdc-56fa-a5fe-c72ea5bf872f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310030002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
}
rule PUA_VULN_Renamed_Driver_Asustek_Driversys_Ectool_927C {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - driver7-x86-withoutdbg.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a"
hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0"
hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd"
date = "2023-06-14"
score = 70
id = "cc670ae4-3be4-5e70-9b8c-4bf52aa3191d"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400680065002000640072006900760065007200200066006f007200200074006800650020004500430074006f006f006c0020006400720069007600650072002d0062006100730065006400200074006f006f006c0073 } /* FileDescription ThedriverfortheECtooldriverbasedtools */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300740065006b } /* CompanyName ASUStek */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0044007200690076006500720037002e007300790073 } /* InternalName Driversys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0045004300200074006f006f006c } /* ProductName ECtool */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0044007200690076006500720037 } /* OriginalFilename Driver */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020 } /* LegalCopyright Copyright */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /driver7-x86-withoutdbg/i
}
rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CF4B {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b"
date = "2023-06-14"
score = 70
id = "853fcdcf-12e5-5783-b582-f8449d575d8c"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d005300490043006c006f0063006b005f00430043 } /* FileDescription NTIOLibforMSIClockCC */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f"
date = "2023-06-14"
score = 70
id = "8cd1c035-64aa-5bad-b2df-f7b50a90c92b"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000330033 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1"
date = "2023-06-14"
score = 70
id = "4e938de0-3822-57a1-987b-818cb7a169d2"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002e0031002e003100380037002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003100200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i
}
rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb"
hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65"
hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a"
date = "2023-06-14"
score = 70
id = "b8fae701-2e8a-542d-8672-4c76f109fa75"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200031002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f002000640072006900760065007200200066006c0065 } /* ProductName BIOSTARIOdriverfle */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f0049003200630049006f002e007300790073 } /* OriginalFilename BSIcIosys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000300032002d0032003000300036002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BS_I2cIo/i
}
rule PUA_VULN_Renamed_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystemserviceprovider_C9CF {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mtcBSv64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8"
date = "2023-06-14"
score = 70
id = "d9c795cd-876a-535f-b64e-55b1cae39da1"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* FileDescription MiTACSystemServiceProvider */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* CompanyName MiTACTechnologyCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320031002c00200031002c00200034002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* InternalName mtcBSvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d0069005400410043002000530079007300740065006d00200053006500720076006900630065002000500072006f00760069006400650072 } /* ProductName MiTACSystemServiceProvider */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d0074006300420053007600360034002e007300790073 } /* OriginalFilename mtcBSvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004d006900540041004300200054006500630068006e006f006c006f0067007900200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCMiTACTechnologyCorporation */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /mtcBSv64/i
}
rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0"
date = "2023-06-14"
score = 70
id = "87c2d1a5-15a0-51ef-a1be-8c22ffabf03a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100330020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310033 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003700200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
}
rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viraglt64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495"
date = "2023-06-14"
score = 70
id = "565bd15e-3769-5fd3-90c7-5e5f75fb3bb5"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c002000310031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viraglt64/i
}
rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltxsys_Pancafemanager_0650 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFltX64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf"
date = "2023-06-14"
score = 70
id = "9513ae4a-9a61-51da-823c-76d33b2cf809"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* InternalName PanMonFltXsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074005800360034002e007300790073 } /* OriginalFilename PanMonFltXsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanMonFltX64/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf"
date = "2023-06-14"
score = 70
id = "f63927d6-7bbf-590d-b3e0-f5cd70160760"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200320034002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_6C71 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ncpl.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44"
hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0"
date = "2023-06-14"
score = 70
id = "04bee759-d8ca-5f28-9eb5-b6397c58ce8d"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ncpl/i
}
rule PUA_VULN_Renamed_Driver_Bsmisys_5962 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMIXP64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347"
hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9"
date = "2023-06-14"
score = 70
id = "8ebe6df1-b307-50ea-83c8-2984223da6dd"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053004d00490020004400720069007600650072 } /* FileDescription SMIDriver */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420053004d0049002e007300790073 } /* InternalName BSMIsys */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053004d0049002e007300790073 } /* OriginalFilename BSMIsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000420049004f005300540041005200200043006f00720070002e00200032003000310031 } /* LegalCopyright CopyrightCBIOSTARCorp */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BSMIXP64/i
}
rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_99F4 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1"
hash = "56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7"
hash = "c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8"
hash = "50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793"
hash = "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449"
hash = "6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4"
hash = "cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb"
hash = "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530"
hash = "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5"
hash = "fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03"
hash = "9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6"
hash = "f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d"
hash = "131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6"
hash = "e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2"
hash = "89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be"
hash = "18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805"
hash = "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504"
hash = "79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57"
hash = "952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4"
hash = "101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558"
hash = "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e"
hash = "85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94"
hash = "b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d"
hash = "d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482"
hash = "984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7"
hash = "e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1"
hash = "a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499"
hash = "a9706e320179993dade519a83061477ace195daa1b788662825484813001f526"
hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005"
hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a"
hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0"
date = "2023-06-14"
score = 70
id = "120b0300-f965-5c0e-a996-b98efee72d75"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
}
rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_26E3 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43"
hash = "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf"
hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26"
date = "2023-06-14"
score = 70
id = "e25beaaf-9c1e-5d39-9938-2548ed97325e"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310033002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
}
rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatftatcamfntamfnbvctvcbmftwc_5F5E {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Bs_Def.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be"
hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5"
hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3"
hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb"
date = "2023-06-14"
score = 70
id = "352c2210-c58d-57be-98f3-39ba15d97cf9"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440065006600610075006c0074002000420049004f005300200046006c0061007300680020004400720069007600650072 } /* FileDescription DefaultBIOSFlashDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100730075007300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName AsusTekComputerInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320034 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* InternalName BsDefsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0053007500700070006f0072007400200053005300540033003900530046003000320030002c0053005300540032003900450045003000320030002c004100540034003900460030003000320054002c00410054003200390043003000320030002c0041004d003200390046003000300032004e0054002c0041004d003200390046003000300032004e0042002c0056003200390043003500310030003000320054002c0056003200390043003500310030003000320042002c004d0032003900460030003000320054002c0057003200390043003000320030002e } /* ProductName SupportSSTSFSSTEEATFTATCAMFNTAMFNBVCTVCBMFTWC */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420073005f00440065006600360034002e007300790073 } /* OriginalFilename BsDefsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004100730075007300540065006b00200043006f006d00700075007400650072002e00200031003900390032002d0032003000300034 } /* LegalCopyright CopyrightCAsusTekComputer */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Bs_Def/i
}
rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsys_Paniolibrary_6B83 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIOx64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74"
date = "2023-06-14"
score = 70
id = "2b0714b8-ddd7-5313-83d3-53fcb7bb9c43"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* InternalName PanIOxsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f007800360034002e007300790073 } /* OriginalFilename PanIOxsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanIOx64/i
}
rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_2A6D {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486"
hash = "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961"
hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399"
date = "2023-06-14"
score = 70
id = "3e356a91-0fce-57fe-a2f9-a9ceca2309ae"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310032002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
}
rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989"
date = "2023-06-14"
score = 70
id = "fbe0700a-ba46-53e7-b519-ad7a6ca42183"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200037 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
}
rule PUA_VULN_Renamed_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc"
date = "2023-06-14"
score = 70
id = "8f464004-8afe-58c8-9170-52a0496b6158"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006e005400650063006800200073006f006600740045006e00670069006e006500200078003600340020006b00650072006e0065006c002d006d006f006400650020006400720069007600650072 } /* FileDescription EnTechsoftEnginexkernelmodedriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006e0054006500630068002000540061006900770061006e } /* CompanyName EnTechTaiwan */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065003600340061002e007300790073 } /* InternalName seasys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0073006f006600740045006e00670069006e0065002d007800360034 } /* ProductName softEnginex */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065003600340061002e007300790073 } /* OriginalFilename seasys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200045006e0054006500630068002000540061006900770061006e002c00200032003000300034002d0032003000300036002e } /* LegalCopyright CopyrightcEnTechTaiwan */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Se64a/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0B54 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917"
date = "2023-06-14"
score = 70
id = "c612b1f8-cff0-532e-8a2f-aa24cdad8920"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1"
date = "2023-06-14"
score = 70
id = "ee7f79aa-59fb-54c6-bb4d-939f3b48f4c8"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0035002e0033003900320036002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039"
hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3"
date = "2023-06-14"
score = 70
id = "d4f27c90-7d23-5969-b635-64eeb859960c"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000360035 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_8FE9 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a"
date = "2023-06-14"
score = 70
id = "9e5a5fc6-24ac-5df2-999f-1d1063bd3f46"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003100310035 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
}
rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Windowsrcodenamelonghornddkdriver_4932 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668"
hash = "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e"
hash = "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98"
hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126"
date = "2023-06-14"
score = 70
id = "82418e8e-31cb-5499-9263-f0edc2d2b1e7"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
}
rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3D9E {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3"
date = "2023-06-14"
score = 70
id = "61d26f77-ddd9-5f83-b531-886eb05331a0"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004e00540049004f004c00690062005f00450043004f } /* FileDescription NTIOLibForNTIOLibECO */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
}
rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_2BBE {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250"
hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a"
date = "2023-06-14"
score = 70
id = "800313e5-3004-57e6-9f4c-969153ede685"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d0053004900530069006d0070006c0065005f004f0043 } /* FileDescription NTIOLibForMSISimpleOC */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310031002d00320030003100320020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
}
rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_092D {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0"
hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c"
date = "2023-06-14"
score = 70
id = "5c6ff79e-d218-5d5f-a057-e6971ef447bf"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0"
hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7"
date = "2023-06-14"
score = 70
id = "188a50cc-7cf9-545d-87c1-9d3fce1070be"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003000390039 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Yyinc_Dianhu_80CB {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Dh_Kernel_10.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3"
hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955"
date = "2023-06-14"
score = 70
id = "1675607c-efae-5099-be11-bc206c0712b5"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]006400690061006e00680075 } /* FileDescription dianhu */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0059005900200049006e0063002e } /* CompanyName YYInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00390039 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006400690061006e00680075 } /* ProductName dianhu */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d003200300031003700200059005900200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightYYIncAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Dh_Kernel_10/i
}
rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00"
hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9"
date = "2023-06-14"
score = 70
id = "619ff7aa-13db-5f36-987f-36e5f3af4f4b"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003600200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad"
date = "2023-06-14"
score = 70
id = "b3c63fd3-4741-57b7-9de9-d2d2d391882f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0033002e0033003800340038002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_591B {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52"
date = "2023-06-14"
score = 70
id = "4df83628-e87e-5e13-b6dd-033541771ae3"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200046006f00720020004d005300490052006100740069006f005f00430043 } /* FileDescription NTIOLibForMSIRatioCC */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
}
rule PUA_VULN_Renamed_Driver_Openlibsysorg_Winringsys_Winring_47EA {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84"
hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8"
date = "2023-06-14"
score = 70
id = "1895c269-a7f5-5b4e-8fea-6ac70c16f79b"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069006e00520069006e00670030 } /* FileDescription WinRing */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0032 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* InternalName WinRingsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e00520069006e00670030 } /* ProductName WinRing */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069006e00520069006e00670030002e007300790073 } /* OriginalFilename WinRingsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCOpenLibSysorgAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WinRing0/i
}
rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_6532 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd"
date = "2023-06-14"
score = 70
id = "b71a72cc-08d0-572e-b404-ba2f01dc20a6"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */
$ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002e00300030002e00300037002e00300032 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310035002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i
}
rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_909D {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880"
date = "2023-06-14"
score = 70
id = "88bfa047-8980-51e0-8baf-9a9301b36283"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0035002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003000200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i
}
rule PUA_VULN_Renamed_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173"
hash = "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7"
hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a"
date = "2023-06-14"
score = 70
id = "729acf46-93eb-5ab1-a696-d4cc6bf43a53"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410054004900200044006900610067006e006f007300740069006300730020004800610072006400770061007200650020004100620073007400720061006300740069006f006e0020005300790073 } /* FileDescription ATIDiagnosticsHardwareAbstractionSys */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e } /* CompanyName ATITechnologiesInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00310031002e0039002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* InternalName atillksys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004900200044006900610067006e006f00730074006900630073 } /* ProductName ATIDiagnostics */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100740069006c006c006b00360034002e007300790073 } /* OriginalFilename atillksys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000410054004900200054006500630068006e006f006c006f006700690065007300200049006e0063002e002c00200032003000300033 } /* LegalCopyright CopyrightCATITechnologiesInc */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /atillk64/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_0CD4 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c"
date = "2023-06-14"
score = 70
id = "788423ac-b11d-593a-a043-0bcdcf49465e"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_E16D {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48"
hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790"
hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a"
hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d"
date = "2023-06-14"
score = 70
id = "1a622734-cb50-5d17-aa0a-d5a04b26b386"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c0020005800540043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription NovellXTCOMServicesDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /libnicm/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e"
date = "2023-06-14"
score = 70
id = "f9cdf106-d925-5630-82a0-dd03a708e6f1"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000370037 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272"
date = "2023-06-14"
score = 70
id = "b467d87b-12bc-56ef-9901-520e73be1b50"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100310033 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6FB5 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d"
date = "2023-06-14"
score = 70
id = "045c065f-82e8-5302-b1b4-d5a49491fb84"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_3943 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv106.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838"
hash = "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9"
hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d"
hash = "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7"
hash = "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c"
hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b"
hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc"
date = "2023-06-14"
score = 70
id = "8a32a060-72e4-586a-9269-48ca9e7b49f7"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* FileDescription ASRockIODriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* InternalName AsrDrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530052006f0063006b00200049004f0020004400720069007600650072 } /* ProductName ASRockIODriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004400720076002e007300790073 } /* OriginalFilename AsrDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrDrv106/i
}
rule PUA_VULN_Renamed_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_F744 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145"
date = "2023-06-14"
score = 70
id = "577bb210-93ca-5f9f-a297-c8bce58dfd1f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004500540044006900200053007500700070006f007200740020004400720069007600650072 } /* FileDescription ETDiSupportDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079 } /* CompanyName HPDevelopmentCompany */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* InternalName etdsuppsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048005000200045005400440069002000440072006900760065007200200044004c004c } /* ProductName HPETDiDriverDLL */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0065007400640073007500700070002e007300790073 } /* OriginalFilename etdsuppsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200031003900390031002d00320030003200320020004800650077006c006500740074002d005000610063006b00610072006400200044006500760065006c006f0070006d0065006e007400200043006f006d00700061006e0079002c0020004c002e0050002e } /* LegalCopyright CCopyrightHewlettPackardDevelopmentCompanyLP */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /etdsupp/i
}
rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501"
date = "2023-06-14"
score = 70
id = "39d8757d-888a-5098-b1c0-7954b233599e"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310036 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
}
rule PUA_VULN_Renamed_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Agent64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca"
hash = "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f"
hash = "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa"
hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414"
hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748"
date = "2023-06-14"
score = 70
id = "0bb01569-32ea-52c5-a5cd-27ed4eddfa4b"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004400720069007600650072004100670065006e0074002000440069007200650063007400200049002f004f00200066006f0072002000360034002d006200690074002000570069006e0064006f00770073 } /* FileDescription DriverAgentDirectIOforbitWindows */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500068006f0065006e0069007800200054006500630068006e006f006c006f0067006900650073 } /* CompanyName PhoenixTechnologies */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* InternalName Agentsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004400720069007600650072004100670065006e0074 } /* ProductName DriverAgent */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100670065006e007400360034002e007300790073 } /* OriginalFilename Agentsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0045006e0054006500630068002000540061006900770061006e002c00200031003900390037002d0032003000300039 } /* LegalCopyright EnTechTaiwan */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /Agent64/i
}
rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605"
date = "2023-06-14"
score = 70
id = "32290d09-5e5a-5cd7-ae87-5be0646fbbc1"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360030002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i
}
rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_904E {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.SYS"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a"
hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190"
date = "2023-06-14"
score = 70
id = "f8c55d27-288b-50ea-a8ef-bbd4f9d0739f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c00200043006c00690065006e007400200050006f00720074006100620069006c0069007400790020004c0061007900650072 } /* FileDescription NovellClientPortabilityLayer */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00490043004d002e005300590053 } /* OriginalFilename NICMSYS */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NICM/i
}
rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008"
date = "2023-06-14"
score = 70
id = "0f9f6aaf-37f7-593c-8086-0907e7c09e24"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0033 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /OpenLibSys/i
}
rule PUA_VULN_Renamed_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedriver_2A65 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrIbDrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a"
hash = "3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de"
hash = "2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f"
hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc"
hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb"
hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14"
date = "2023-06-14"
score = 70
id = "99ca2e37-5fcd-5fe2-8e38-88d1153fe950"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* FileDescription RWEverythingReadWriteDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e0067 } /* CompanyName RWEverything */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00520077004400720076002e007300790073 } /* InternalName RwDrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00520057002d00450076006500720079007400680069006e006700200052006500610064002000260020005700720069007400650020004400720069007600650072 } /* ProductName RWEverythingReadWriteDriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00520077004400720076002e007300790073 } /* OriginalFilename RwDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002000520057002d00450076006500720079007400680069006e0067 } /* LegalCopyright CopyrightCRWEverything */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrIbDrv/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48"
date = "2023-06-14"
score = 70
id = "fb17b415-51c9-5bd1-b557-8d57015f90e1"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000340037 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_19D0 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0"
date = "2023-06-14"
score = 70
id = "f896b0df-8862-5345-8feb-bdbddedda0bc"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_7795 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "77955af8a8bcea8998f4046c2f8534f6fb1959c71de049ca2f4298ba47d8f23a"
date = "2023-06-14"
score = 70
id = "d7c72129-94ab-5ff6-8b39-5c8c24ac1949"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300032003200200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i
}
rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_9B1A {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194"
date = "2023-06-14"
score = 70
id = "04c4bd4a-67ca-5dbb-9347-ad1a5c949895"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i
}
rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfltsys_Pancafemanager_7E01 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFlt.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7"
date = "2023-06-14"
score = 70
id = "e74ef985-275d-5d14-97a3-e3085600aaa6"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500061006e00430061006600650020004d0061006e0061006700650072002000460069006c00650020004d006f006e00690074006f0072 } /* FileDescription PanCafeManagerFileMonitor */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* InternalName PanMonFltsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e00430061006600650020004d0061006e0061006700650072 } /* ProductName PanCafeManager */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e004d006f006e0046006c0074002e007300790073 } /* OriginalFilename PanMonFltsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0131006c0131006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazlmBilisimTeknolojileriTicLtdSti */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanMonFlt/i
}
rule PUA_VULN_Renamed_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_Lenovodiagnostics_F05B {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LenovoDiagnosticsDriver.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe"
date = "2023-06-14"
score = 70
id = "8613524c-6928-5d5a-9dd3-d067b93ac4b4"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073002000440072006900760065007200200066006f0072002000570069006e0064006f0077007300200031003000200061006e00640020006c0061007400650072002e } /* FileDescription LenovoDiagnosticsDriverforWindowsandlater */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c0065006e006f0076006f002000470072006f007500700020004c0069006d00690074006500640020002800520029 } /* CompanyName LenovoGroupLimitedR */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0034002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* InternalName LenovoDiagnosticsDriversys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c0065006e006f0076006f00200044006900610067006e006f00730074006900630073 } /* ProductName LenovoDiagnostics */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c0065006e006f0076006f0044006900610067006e006f00730074006900630073004400720069007600650072002e007300790073 } /* OriginalFilename LenovoDiagnosticsDriversys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000320030003200310020004c0065006e006f0076006f002000470072006f007500700020004c0069006d0069007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright LenovoGroupLimitedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LenovoDiagnosticsDriver/i
}
rule PUA_VULN_Renamed_Driver_Dell_Dbutil_71FE {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009"
date = "2023-06-14"
score = 70
id = "ee5c03fc-8778-57ef-b300-2009bbf9208f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440042005500740069006c } /* FileDescription DBUtil */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440065006c006c } /* CompanyName Dell */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0037002e0030002e0030 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440042005500740069006c } /* ProductName DBUtil */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200032003000320031002000440065006c006c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e0020 } /* LegalCopyright DellIncAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /DBUtilDrv2/i
}
rule PUA_VULN_Renamed_Driver_Atszio_Atsziodriver_673B {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b"
hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a"
date = "2023-06-14"
score = 70
id = "e4a1e60c-3b56-518b-ba68-798dd6d5fce6"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002c00200032002c00200031002c00200032 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f } /* InternalName ATSZIO */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030 } /* LegalCopyright CopyrightC */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i
}
rule PUA_VULN_Renamed_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - asmmap64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4"
date = "2023-06-14"
score = 70
id = "610c253b-de94-5ebd-af97-d0a6b1339d81"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0065006d006f007200790020006d0061007000700069006e00670020004400720069007600650072 } /* FileDescription MemorymappingDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005300550053 } /* CompanyName ASUS */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200039002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* InternalName asmmapsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410054004b002000470065006e0065007200690063002000460075006e006300740069006f006e00200053006500720076006900630065 } /* ProductName ATKGenericFunctionService */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00610073006d006d00610070002e007300790073 } /* OriginalFilename asmmapsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039 } /* LegalCopyright CopyrightC */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /asmmap64/i
}
rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_FB81 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f"
hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22"
hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0"
date = "2023-06-14"
score = 70
id = "922f318f-7f43-5844-8037-e40fcce7cb1a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310031002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310031 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310033002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /nscm/i
}
rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129"
date = "2023-06-14"
score = 70
id = "b352e8e9-b15a-5969-966d-00462cd461f4"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio64/i
}
rule PUA_VULN_Renamed_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatingsystem_23BA {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LHA.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade"
hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf"
date = "2023-06-14"
score = 70
id = "dd239b64-e8dd-5850-9ec3-125245b6f0cd"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c00480041 } /* FileDescription LHA */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c004700200045006c0065006300740072006f006e00690063007300200049006e0063002e } /* CompanyName LGElectronicsInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c00480041002e007300790073 } /* InternalName LHAsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f0066007400ae002000570069006e0064006f0077007300ae0020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftWindowsOperatingSystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c00480041002e007300790073 } /* OriginalFilename LHAsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0075006c00740072006100620069006f007300400068006f0074006d00610069006c002e0063006f006d } /* LegalCopyright ultrabioshotmailcom */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LHA/i
}
rule PUA_VULN_Renamed_Driver_Logmeininc_Lmiinfosys_Logmein_453B {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233"
date = "2023-06-14"
score = 70
id = "ab17ebdd-3335-5868-a2b8-f6247cf7b778"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f0067004d00650049006e0020004b00650072006e0065006c00200049006e0066006f0072006d006100740069006f006e002000500072006f00760069006400650072 } /* FileDescription LogMeInKernelInformationProvider */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f0067004d00650049006e002c00200049006e0063002e } /* CompanyName LogMeInInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e0031002e0030002e0033003200320030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* InternalName LMIinfosys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f0067004d00650049006e } /* ProductName LogMeIn */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c004d00490069006e0066006f002e007300790073 } /* OriginalFilename LMIinfosys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300033002d00320030003100370020004c006f0067004d00650049006e002c00200049006e0063002e00200050006100740065006e00740065006400200061006e006400200070006100740065006e00740073002000700065006e00640069006e0067002e } /* LegalCopyright CopyrightLogMeInIncPatentedandpatentspending */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /LMIinfo/i
}
rule PUA_VULN_Renamed_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdriverx_C628 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2"
date = "2023-06-14"
score = 70
id = "b347378c-88d1-52bb-8a30-a6558a4bc725"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* FileDescription SEGWindowsDriverx */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e } /* CompanyName InsydeSoftwareCorp */
$ = { 00460069006c006500560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003100300030002c00200030002c00200037002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* InternalName segwindrvxsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300450047002000570069006e0064006f0077007300200044007200690076006500720020007800360034 } /* ProductName SEGWindowsDriverx */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730065006700770069006e006400720076007800360034002e007300790073 } /* OriginalFilename segwindrvxsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100320020002d00200032003000310034002c00200049006e007300790064006500200053006f00660074007700610072006500200043006f00720070002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightcInsydeSoftwareCorpAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /segwindrvx64/i
}
rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445"
date = "2023-06-14"
score = 70
id = "3582ec77-9fac-5e3a-9795-ac4429aeea01"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
}
rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BCED {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f"
date = "2023-06-14"
score = 70
id = "40c14c2c-4e0b-5de6-a095-a6f68d9de2b2"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e00330030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e00330030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300035 } /* LegalCopyright CopyrightCMRussinovich */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
}
rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d"
date = "2023-06-14"
score = 70
id = "ad49ce42-e771-5b2c-a292-670c60de11af"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* InternalName rtkiowxsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00770038007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkiow8x64/i
}
rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f"
date = "2023-06-14"
score = 70
id = "3435fbbb-b668-580e-a820-d65415d2daaa"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00320020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0032 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
}
rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7"
date = "2023-06-14"
score = 70
id = "2c802dbd-41c6-5651-ad49-ba034d725a49"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100380020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310038 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003900200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
}
rule PUA_VULN_Renamed_Driver_Safenetinc_Hostnt_Hostnt_07B6 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357"
date = "2023-06-14"
score = 70
id = "a9a3ad7f-01cd-5e4f-964b-1ebd8faa1a92"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006f00730074006e0074002000360034002d0062006900740020006400720069007600650072 } /* FileDescription Hostntbitdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053006100660065004e00650074002c00200049006e0063002e } /* CompanyName SafeNetInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002c00200030002c002000310036002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0048006f00730074006e0074 } /* InternalName Hostnt */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048006f00730074006e0074 } /* ProductName Hostnt */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0048006f00730074006e0074002e007300790073 } /* OriginalFilename Hostntsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000200053006100660065004e00650074002c00200049006e0063002e } /* LegalCopyright CopyrightCSafeNetInc */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HOSTNT/i
}
rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_9A91 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba"
date = "2023-06-14"
score = 70
id = "67859aea-01d4-5463-9f4c-f6b4db2a7c30"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0038002e0034002e00350039 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /KfeCo11X64/i
}
rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7CB5 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21"
date = "2023-06-14"
score = 70
id = "4a43c176-9f5b-56c0-8655-0b90f862ec6e"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /zam64/i
}
rule PUA_VULN_Renamed_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautochkupddrvdriver_2AA1 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4"
date = "2023-06-14"
score = 70
id = "718285a7-b151-5ccd-8dcf-9edac9db7d61"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* FileDescription AsrAutoChkUpdDrvDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* CompanyName ASRockIncorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030002e00300030002e00300030003000300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030002e00300030002e0030003000300030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* InternalName AsrAutoChkUpdDrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100730072004100750074006f00430068006b0055007000640044007200760020004400720069007600650072 } /* ProductName AsrAutoChkUpdDrvDriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100730072004100750074006f00430068006b005500700064004400720076002e007300790073 } /* OriginalFilename AsrAutoChkUpdDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100320020004100530052006f0063006b00200049006e0063006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCASRockIncorporation */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AsrAutoChkUpdDrv/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd"
hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10"
date = "2023-06-14"
score = 70
id = "2c22997e-aaa3-5a23-83bb-0f4be8da3837"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000370030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000320020002d002000320030003100320020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_2899 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7"
hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2"
date = "2023-06-14"
score = 70
id = "7d961433-d8f7-526b-b5f1-29d896f39a5f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000300038002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01"
date = "2023-06-14"
score = 70
id = "3851c445-23c0-59a1-85e9-a32758a73bd8"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000370038 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc"
date = "2023-06-14"
score = 70
id = "7523cea1-54f0-5328-90ec-e5170c5cfe01"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c00650020004e006f00540072006100700020004200750069006c0064 } /* FileDescription TrendMicroCommonModuleNoTrapBuild */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0030002e0030002e0031003100300034 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c"
hash = "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2"
hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88"
hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c"
date = "2023-06-14"
score = 70
id = "3e19f0b1-a1ce-5f2e-a26d-1c7ff8e82f16"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310035002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
}
rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrserverddkdriver_22BE {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - speedfan.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c"
date = "2023-06-14"
score = 70
id = "86dedef9-d4dc-5c62-b03c-502c0f80ae57"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0053007000650065006400460061006e00200044006500760069006300650020004400720069007600650072 } /* FileDescription SpeedFanDeviceDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* InternalName speedfansys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0073007000650065006400660061006e002e007300790073 } /* OriginalFilename speedfansys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /speedfan/i
}
rule PUA_VULN_Renamed_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c"
date = "2023-06-14"
score = 70
id = "bcdf7111-a4ee-5603-b42e-b1acbaf80d69"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004f00700065006e004c00690062005300790073 } /* FileDescription OpenLibSys */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e006f00720067 } /* CompanyName OpenLibSysorg */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* InternalName OpenLibSyssys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004f00700065006e004c00690062005300790073 } /* ProductName OpenLibSys */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004f00700065006e004c00690062005300790073002e007300790073 } /* OriginalFilename OpenLibSyssys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000370020004f00700065006e004c00690062005300790073002e006f00720067 } /* LegalCopyright CopyrightCOpenLibSysorg */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /OpenLibSys/i
}
rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148"
date = "2023-06-14"
score = 70
id = "0434de42-0da2-5e6c-9c07-e742e53b5c98"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000330038002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100310020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i
}
rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22"
date = "2023-06-14"
score = 70
id = "ec649ec9-8a01-5665-b18f-eabb5da7c6ea"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0032002e0033 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i
}
rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_075D {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85"
hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc"
date = "2023-06-14"
score = 70
id = "ebf21994-6431-57ba-9c7f-d768cbf7eb33"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00330032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00330032 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320030 } /* LegalCopyright CopyrightCMarkRussinovich */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
}
rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_AE42 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471"
hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2"
hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff"
date = "2023-06-14"
score = 70
id = "2f1a0973-929d-506e-b344-ce9d37c8eaf5"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003300200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00330020007800360034 } /* ProductVersion x */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0033 } /* ProductName MsIoDriverVersion */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /MsIo64/i
}
rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_3724 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b"
date = "2023-06-14"
score = 70
id = "f5ff0000-66e2-5f32-87b2-f66481c904b4"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0032002e003100310039003200330030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /VBoxDrv/i
}
rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4"
date = "2023-06-14"
score = 70
id = "bcfba84e-b503-5dd7-b64d-85fcda1c559f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200033002c00200032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
}
rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee"
hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3"
date = "2023-06-14"
score = 70
id = "45887d8b-facf-5053-bc58-16bd214a24f1"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062005f005800360034 } /* FileDescription NTIOLibX */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034 } /* ProductName NTIOLibX */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
}
rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_6BFC {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e"
hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc"
hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7"
date = "2023-06-14"
score = 70
id = "1078dda3-be3d-57d2-becf-dbe54943e48b"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310031 } /* LegalCopyright CopyrightCMRussinovich */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
}
rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_7A48 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf"
date = "2023-06-14"
score = 70
id = "54bb3bce-fafa-519c-a701-2857ba3b8a97"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
}
rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_45F4 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef"
date = "2023-06-14"
score = 70
id = "239d02c6-0f72-5ce8-833c-62b7e8e371e8"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003800360035 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
}
rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4D05 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee"
hash = "77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9"
hash = "cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c"
hash = "b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5"
hash = "ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7"
hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5"
hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572"
hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1"
date = "2023-06-14"
score = 70
id = "081a636c-c65c-500e-9eee-7da4347f658a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300030003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882"
date = "2023-06-14"
score = 70
id = "1e317c82-53b6-5ab2-9298-1dd046f6fd65"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf"
date = "2023-06-14"
score = 70
id = "94cea41e-38ce-5786-b483-91778b9d1b23"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100300036 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2"
date = "2023-06-14"
score = 70
id = "f54f0567-711e-5cfd-bc81-34854e8c6cb2"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0034002e0033003800390031002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_3070 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab"
date = "2023-06-14"
score = 70
id = "eaed99a4-a035-5f0a-bcbe-8f0e2953da40"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0053004900200043006f006d00430065006e00530065007200760069006300650020004400720069007600650072 } /* FileDescription MSIComCenServiceDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
}
rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_CC58 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b"
date = "2023-06-14"
score = 70
id = "9cd3e34b-90ba-5e52-b049-966a7dceed9d"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
}
rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Windowsrcodenamelonghornddkdriver_916C {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677"
hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab"
hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82"
date = "2023-06-14"
score = 70
id = "a3e882e8-d5ae-5b62-b95c-5132299e1682"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f004400720069007600650072 } /* FileDescription RealtekIODriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* InternalName rtkiosys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f002e007300790073 } /* OriginalFilename rtkiosys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio64/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036"
date = "2023-06-14"
score = 70
id = "af95748b-1c9d-5065-9a12-2a9826a4f245"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000350038 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwinddkdriver_8C74 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9"
date = "2023-06-14"
score = 70
id = "57d993b7-ce28-5f14-872a-71bbb4f79d2e"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530069006e0063006500790020004300750070002000460069007800650072 } /* FileDescription SinceyCupFixer */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00330032002e0030002e00310030003000310031002e00310033003300330037 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* InternalName CupFixerxsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00430075007000460069007800650072007800360034002e007300790073 } /* OriginalFilename CupFixerxsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CupFixerx64/i
}
rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_B175 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0"
date = "2023-06-14"
score = 70
id = "e7e44244-24cc-556d-9a3c-d797535979a5"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390036 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390036 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000370020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /EIO/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30"
date = "2023-06-14"
score = 70
id = "7a7404ea-d835-5d65-9c8e-1f694d9458fe"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000390038 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriverfornt_EA85 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41"
date = "2023-06-14"
score = 70
id = "029b7abb-cea8-5713-b220-476d2b2fc30e"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* FileDescription ASUSKernelModeDriverforNT */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* InternalName IOMapsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410053005500530020004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200066006f00720020004e00540020 } /* ProductName ASUSKernelModeDriverforNT */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f004d00610070002e007300790073 } /* OriginalFilename IOMapsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003100300020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /IOMap64/i
}
rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53"
date = "2023-06-14"
score = 70
id = "e61c9ebc-6ec1-5302-934b-f023601a34d8"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370032002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E452 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9"
date = "2023-06-14"
score = 70
id = "2e64bafa-9707-53f1-981c-ce1e863a8cfc"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320037002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa"
hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8"
date = "2023-06-14"
score = 70
id = "e53b6cb1-981b-5639-8186-5b1a96bdb9b0"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d003100300020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0039002e0038002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003200310020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /hw/i
}
rule PUA_VULN_Renamed_Driver_Mydriverscom_Hwm_Drivergenius_08EB {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mydrivers.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6"
date = "2023-06-14"
score = 70
id = "64fe7b58-75a4-5a83-a621-c77c63d6ca1c"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00440072006900760065007200470065006e0069007500730020004800610072006400770061007200650020006d006f006e00690074006f0072 } /* FileDescription DriverGeniusHardwaremonitor */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00790044007200690076006500720073002e0063006f006d } /* CompanyName MyDriverscom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0032002e003700300037002e0031003200310034 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032003000310036002e0037002e0037002e0031003200310034 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480057004d } /* InternalName HWM */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00440072006900760065007200470065006e006900750073 } /* ProductName DriverGenius */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006d00790064007200690076006500720073002e007300790073 } /* OriginalFilename mydriverssys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020004d00790044007200690076006500720073002e0063006f006d00200061006c006c002000720069006700680074 } /* LegalCopyright CopyrightMyDriverscomallright */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /mydrivers/i
}
rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75"
date = "2023-06-14"
score = 70
id = "aa83d18f-662b-573d-873a-a88179982b9e"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i
}
rule PUA_VULN_Renamed_Driver_Powertool_Kevpsys_Powertool_8E63 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f"
hash = "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184"
hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c"
date = "2023-06-14"
score = 70
id = "d967bff5-7db8-587b-9422-a43280230261"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006f0077006500720054006f006f006c } /* FileDescription PowerTool */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* CompanyName PowerTool */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0031002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* InternalName kEvPsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006f0077006500720054006f006f006c } /* ProductName PowerTool */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00450076005000360034002e007300790073 } /* OriginalFilename kEvPsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0050006f0077006500720054006f006f006c } /* LegalCopyright PowerTool */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /kEvP64/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b"
date = "2023-06-14"
score = 70
id = "7fbdb3fe-4655-5656-babb-d99a3ff0c00f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0037002e003100310033002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b"
hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c"
date = "2023-06-14"
score = 70
id = "cc96821c-2dbb-5205-9aa4-55fb8cbe12b5"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320039 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0"
date = "2023-06-14"
score = 70
id = "6c116541-9615-5ede-ad94-7879306eee68"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5"
date = "2023-06-14"
score = 70
id = "db63af64-4b16-5873-b2ba-792f3d8cdbc7"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370038 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_34E0 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf"
date = "2023-06-14"
score = 70
id = "ff70dd78-039c-53db-8692-5a34d2d0b82a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0035002e00390036002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_D0BD {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889"
date = "2023-06-14"
score = 70
id = "9bf0e4e6-84e3-58ae-8a53-caa45cf7cf1d"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e00300031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
}
rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_3C18 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b"
date = "2023-06-14"
score = 70
id = "ac00f0ae-fb0b-50e4-91f4-ea2f46bdb27b"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003900320038 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
}
rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a"
date = "2023-06-14"
score = 70
id = "76145e28-0c1d-5916-b966-0ce7dcad8a90"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000370034002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i
}
rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4"
date = "2023-06-14"
score = 70
id = "fae3ff35-0e7c-542f-85c1-8fecca9078f3"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0033002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iomem64/i
}
rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b"
date = "2023-06-14"
score = 70
id = "71498e5d-a30f-5501-a45f-3c01f1dac039"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0035002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0035002e0031002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300036002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i
}
rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_1B00 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e"
hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5"
date = "2023-06-14"
score = 70
id = "0c8db0c4-24fa-5a66-b60d-f121a535f14a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
}
rule PUA_VULN_Renamed_Driver_Multitheftauto_Mtasanandreas_9F4C {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FairplayKD.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5"
date = "2023-06-14"
score = 70
id = "5f75950b-3802-55d5-ad51-37ab9c31d5e4"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0075006c007400690020005400680065006600740020004100750074006f0020007000610074006300680020006400720069007600650072 } /* FileDescription MultiTheftAutopatchdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0075006c007400690020005400680065006600740020004100750074006f } /* CompanyName MultiTheftAuto */
$ = { 00460069006c006500560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]003300360037002e0033003200360039002e00360031002e00360034 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00540041002000530061006e00200041006e00640072006500610073 } /* ProductName MTASanAndreas */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003000330020002d002000320030003100370020004d0075006c007400690020005400680065006600740020004100750074006f } /* LegalCopyright CMultiTheftAuto */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /FairplayKD/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c"
date = "2023-06-14"
score = 70
id = "be9dd90a-22ec-5981-8f8e-16cfd2b9b824"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850"
date = "2023-06-14"
score = 70
id = "0648fea6-a29e-5cc4-bdf9-e74966dbeb71"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000380030002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100360020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /viragt64/i
}
rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_95D5 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3"
date = "2023-06-14"
score = 70
id = "8e5947fc-33c2-53c4-b9cb-548373df35dc"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200043004f004d0020005300650072007600690063006500730020004400720069007600650072 } /* FileDescription XTierCOMServicesDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006c00690062006e00690063006d002e007300790073 } /* OriginalFilename libnicmsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /libnicm/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918"
date = "2023-06-14"
score = 70
id = "d5efbb84-070c-5caa-92c0-d320088d2e73"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100300031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa"
date = "2023-06-14"
score = 70
id = "323095b4-4fee-5c73-99f1-fe1142889cea"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f } /* FileDescription ALSysIO */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0039002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* InternalName ALSysIOsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f } /* ProductName ALSysIO */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f002e007300790073 } /* OriginalFilename ALSysIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300030003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ALSysIO64/i
}
rule PUA_VULN_Renamed_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys_Paniolibrary_F596 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960"
date = "2023-06-14"
score = 70
id = "0c9f3005-da64-5545-b9d3-4c9c43152dca"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00540065006d0070006500720061007400750072006500200061006e0064002000730079007300740065006d00200069006e0066006f0072006d006100740069006f006e0020006400720069007600650072 } /* FileDescription Temperatureandsysteminformationdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* CompanyName PanYazilimBilisimTeknolojileriTicLtdSti */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* InternalName PanIOsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500061006e0049004f0020004c006900620072006100720079 } /* ProductName PanIOLibrary */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00500061006e0049004f002e007300790073 } /* OriginalFilename PanIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310032002d0032003000310034002000500061006e002000590061007a0069006c0069006d002000420069006c006900730069006d002000540065006b006e006f006c006f006a0069006c0065007200690020005400690063002e0020004c00740064002e0020005300740069002e } /* LegalCopyright CopyrightcPanYazilimBilisimTeknolojileriTicLtdSti */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /PanIO/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca"
date = "2023-06-14"
score = 70
id = "67cbef32-1033-55ff-8a49-b12ee01e6800"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0038002e003100330037002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_9A54 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7"
date = "2023-06-14"
score = 70
id = "6f5fdb7c-ed88-5e1f-9f03-d86bf9646ee2"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0031002e0034003100330032002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysicalmemoryandports_4E3E {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - otipcibus.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80"
date = "2023-06-14"
score = 70
id = "98494db9-778d-531c-9688-535d539cd953"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0048006100720064007700610072006500200041006300630065007300730020004400720069007600650072 } /* FileDescription HardwareAccessDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004f00540069 } /* CompanyName OTi */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0031003000300030002e0030002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* InternalName otipcibussys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00650072006e0065006c0020004d006f00640065002000440072006900760065007200200054006f002000410063006300650073007300200050006800790073006900630061006c0020004d0065006d006f0072007900200041006e006400200050006f007200740073 } /* ProductName KernelModeDriverToAccessPhysicalMemoryAndPorts */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006f0074006900700063006900620075007300360034002e007300790073 } /* OriginalFilename otipcibussys */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /otipcibus/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258"
date = "2023-06-14"
score = 70
id = "f6bf8995-aba2-52ff-ba26-eabbef6933bd"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_CFCF {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab"
date = "2023-06-14"
score = 70
id = "a40d5b51-bdcd-5ca9-b708-220f0d3e5c83"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d0049004300530059005300200049004f0020006400720069007600650072 } /* FileDescription MICSYSIOdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName MsIoDriverVersion */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /MsIo64/i
}
rule PUA_VULN_Renamed_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097"
date = "2023-06-14"
score = 70
id = "35a9803d-08a8-5cad-9eb6-ac7a9366f32b"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0044005400520020004b00650072006e0065006c0020006d006f006400650020006400720069007600650072 } /* FileDescription DTRKernelmodedriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00440054002000520065007300650061007200630068002c00200049006e0063002e } /* CompanyName DTResearchInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* InternalName iomemsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* ProductName iomemsys */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006f006d0065006d002e007300790073 } /* OriginalFilename iomemsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0044005400200052006500730065006100720063006800200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright DTResearchIncAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iomem64/i
}
rule PUA_VULN_Renamed_Driver_Pchuntersys_Pchunter_1B7F {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PCHunter.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa"
date = "2023-06-14"
score = 70
id = "1e9534ab-0139-5550-93ac-e0e2e4f54c3f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00450070006f006f006c0073006f00660074002000570069006e0064006f0077007300200049006e0066006f0072006d006100740069006f006e0020005600690065007700200054006f006f006c0073 } /* FileDescription EpoolsoftWindowsInformationViewTools */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]4e00666e660e4e3aff0853174eacff094fe1606f6280672f67099650516c53f8 } /* CompanyName */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0034 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* InternalName PCHuntersys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050004300480075006e007400650072 } /* ProductName PCHunter */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0050004300480075006e007400650072002e007300790073 } /* OriginalFilename PCHuntersys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200032003000310033002d0032003000310036002000450070006f006f006c0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CEpoolsoftCorporationAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 800KB and all of them and not filename matches /PCHunter/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3"
date = "2023-06-14"
score = 70
id = "ec46068f-99f6-5335-a695-c2d4f67661c4"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0035002e0034003200320030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Novellinc_Novellxtier_8E88 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c"
date = "2023-06-14"
score = 70
id = "dcdacb63-7b72-512e-98fc-f9899eef184f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e006f00760065006c006c002000580054006900650072002000530065007300730069006f006e0020004d0061006e0061006700650072 } /* FileDescription NovellXTierSessionManager */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e006f00760065006c006c002c00200049006e0063002e } /* CompanyName NovellInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e0036002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e0036 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e006f00760065006c006c002000580054006900650072 } /* ProductName NovellXTier */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310031002c0020004e006f00760065006c006c002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightNovellIncAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i
}
rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_E428 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f"
date = "2023-06-14"
score = 70
id = "ab5fa19d-04b9-53b1-8c25-311b2b70de67"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310037002e003900380034 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06"
date = "2023-06-14"
score = 70
id = "5011ac46-4366-57f2-8102-10fffffb3c27"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100300036 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Huawei_Hwosec_Huaweimatebook_B179 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwOs2Ec7x64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de"
hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc"
date = "2023-06-14"
score = 70
id = "0b7fdb14-88a4-55cc-ab9e-062dd05df561"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00480077004f0073003200450063 } /* FileDescription HwOsEc */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004800750061007700650069 } /* CompanyName Huawei */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077004f0073003200450063 } /* InternalName HwOsEc */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0048007500610077006500690020004d0061007400650042006f006f006b } /* ProductName HuaweiMateBook */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480077004f0073003200450063002e007300790073 } /* OriginalFilename HwOsEcsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310036 } /* LegalCopyright CopyrightC */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HwOs2Ec7x64/i
}
rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_A468 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9"
date = "2023-06-14"
score = 70
id = "375a9cb2-5ba6-56d1-944c-38c724f3746d"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HpPortIox64/i
}
rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_7661 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a"
date = "2023-06-14"
score = 70
id = "6af53a8a-2e39-536a-a817-a29748de5055"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003200320039 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
}
rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_8B92 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2"
date = "2023-06-14"
score = 70
id = "9225e30b-aca2-5989-a73b-8d40d72e2a01"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i
}
rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461"
date = "2023-06-14"
score = 70
id = "90404bf8-2575-5437-898d-6dfb22b04027"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0033002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0033002e0031002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300035002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b"
date = "2023-06-14"
score = 70
id = "f5af1fa3-89f3-5e06-8f67-bb26b89a5c1d"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003000370033 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085"
date = "2023-06-14"
score = 70
id = "fc4c8180-77b2-593e-b4c0-5340871291bd"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003000390031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Microfocus_Microfocusxtier_5351 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c"
date = "2023-06-14"
score = 70
id = "084f65a0-6a2a-59b6-9a5a-3f45a4f5c892"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0058005400690065007200200053006500630075007200690074007900200043006f006e00740065007800740020004d0061006e0061006700650072 } /* FileDescription XTierSecurityContextManager */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073 } /* CompanyName MicroFocus */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0031002e00310032002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0031002e00310032 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f00200046006f006300750073002000580054006900650072 } /* ProductName MicroFocusXTier */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00730063006d002e007300790073 } /* OriginalFilename nscmsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280043002900200043006f007000790072006900670068007400200032003000300030002d0032003000310037002c0020004d006900630072006f00200046006f006300750073002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CCopyrightMicroFocusAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nscm/i
}
rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7882 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f"
hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924"
date = "2023-06-14"
score = 70
id = "63c99882-aa1c-522c-ae84-485306bdbea4"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* FileVersion r */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0030002e007200340035003800340036 } /* ProductVersion r */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /vboxdrv/i
}
rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_5FAD {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36"
hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6"
date = "2023-06-14"
score = 70
id = "6eecc3dd-cbcf-5d2f-8005-e027230e64b1"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310036002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CorsairLLAccess64/i
}
rule PUA_VULN_Renamed_Driver_Cpuid_Cpuzsys_Cpuidservice_A072 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4"
hash = "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b"
hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d"
date = "2023-06-14"
score = 70
id = "4ecccfaa-43fb-582e-9a9e-77529ee9234f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00430050005500490044 } /* CompanyName CPUID */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e003100360033003800350020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0031002e0037003600300030002e00310036003300380035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005000550049004400200073006500720076006900630065 } /* ProductName CPUIDservice */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280043002900200032003000310036002000430050005500490044 } /* LegalCopyright CopyrightCCPUID */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz/i
}
rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8"
date = "2023-06-14"
score = 70
id = "492872fa-b936-526f-94c6-c9524039e583"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c002000360035002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c"
date = "2023-06-14"
score = 70
id = "272c95fe-bf5a-53d8-b54b-10dfa4f2945a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0032002e0033003800320030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10"
date = "2023-06-14"
score = 70
id = "715dc163-ea21-5633-9d27-6b80e5207fb6"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00610076006100730074002100200056004d0020004d006f006e00690074006f0072 } /* FileDescription avastVMMonitor */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0038002e0030002e0031003400390037002e003300370036 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* InternalName aswVmmsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00610076006100730074002100200041006e0074006900760069007200750073 } /* ProductName avastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061007300770056006d006d002e007300790073 } /* OriginalFilename aswVmmsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003300200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswVmm/i
}
rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserverddkdriver_31F4 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427"
hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38"
hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229"
date = "2023-06-14"
score = 70
id = "f7ade11a-24e4-5e93-9a9b-d7700b0182db"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00310038003300300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0031003800330030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i
}
rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339"
date = "2023-06-14"
score = 70
id = "8f96b69a-eec3-5b8d-b938-902b02f32e29"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050004e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPNPDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037003100320030003100300031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]006700640072007600360034 } /* ProductName gdrv */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i
}
rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedriver_CF69 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb"
date = "2023-06-14"
score = 70
id = "f9a24212-2805-5af3-906f-56ba8a60409c"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* FileDescription ASUSVGAKernelModeDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTeKComputerInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00390037 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00390037 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00450049004f002e007300790073 } /* InternalName EIOsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100530055005300200056004700410020004b00650072006e0065006c0020004d006f006400650020004400720069007600650072 } /* ProductName ASUSVGAKernelModeDriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00450049004f002e007300790073 } /* OriginalFilename EIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000320030003000340020004100530055005300540065004b00200043006f006d0070007500740065007200200049006e0063002e } /* LegalCopyright CopyrightASUSTeKComputerInc */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /EIO/i
}
rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_4408 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c"
date = "2023-06-14"
score = 70
id = "e13ccc4c-bee8-5b8d-a94c-8c6d42b7656e"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340033 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340033 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
}
rule PUA_VULN_Renamed_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontrol_B583 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704"
date = "2023-06-14"
score = 70
id = "dac8f089-8029-55f6-afcc-f2095c22a925"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c002000430061006c006c006f007500740020004400720069007600650072 } /* FileDescription KillerTrafficControlCalloutDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* CompanyName RivetNetworksLLC */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0039002e0037002e0034002e00310031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* InternalName KfeCoDrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b0069006c006c006500720020005400720061006600660069006300200043006f006e00740072006f006c } /* ProductName KillerTrafficControl */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004b006600650043006f004400720076002e007300790073 } /* OriginalFilename KfeCoDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d00320030003100380020005200690076006500740020004e006500740077006f0072006b0073002c0020004c004c0043002e } /* LegalCopyright CopyrightCRivetNetworksLLC */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /KfeCo10X64/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39"
date = "2023-06-14"
score = 70
id = "51c17b83-1d09-58c5-857c-f144ff6f5108"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e00380030002e0030002e0031003000360033 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00380030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Msi_Ntiolibxsys_Ntiolib_09BE {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1"
date = "2023-06-14"
score = 70
id = "f4cb25ca-f56d-5bdc-a53c-5bc91c677e49"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0032 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* InternalName NTIOLibXsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062005f005800360034002e007300790073 } /* OriginalFilename NTIOLibXsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e"
date = "2023-06-14"
score = 70
id = "9faf0f73-9c1e-549c-a375-8b3c3b89652c"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0035002e0030002e0031003100320031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0F01 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8"
date = "2023-06-14"
score = 70
id = "89b49564-f27a-5184-9710-a3b5c3b435fb"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0038002e0034003000350037002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_7539 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c"
date = "2023-06-14"
score = 70
id = "70f1192d-29b0-5e55-9a0c-e0a17ca5e57a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* FileVersion r */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e007200340039003300310035 } /* ProductVersion r */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /VBoxDrv/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0"
date = "2023-06-14"
score = 70
id = "3ed4ee1e-989f-5729-9f93-e1a84cf0565b"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e"
date = "2023-06-14"
score = 70
id = "ef749b9f-ba3a-53f6-ba93-d8a57f4ef398"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0036002e0030002e0031003000350032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0036 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006300740069007600650043006c00650061006e } /* ProductName ActiveClean */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_3FF3 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa"
hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675"
date = "2023-06-14"
score = 70
id = "f178f1b8-8f10-50e2-9d17-f83e09e2b020"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00340030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00340030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310030 } /* LegalCopyright CopyrightCMRussinovich */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
}
rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_BDBC {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c"
date = "2023-06-14"
score = 70
id = "c633441c-348f-527e-8187-51b28a53b63a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00300031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00300031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300037 } /* LegalCopyright CopyrightCMRussinovich */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408"
date = "2023-06-14"
score = 70
id = "f4821039-4998-5f15-99a7-72c4a1219d94"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000350036 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_0B2A {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d"
date = "2023-06-14"
score = 70
id = "54df9ee8-fd07-5c87-a94f-63289f1844f5"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000330031002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Copyright_Advancedmalwareprotection_6F55 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amsdk.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c"
date = "2023-06-14"
score = 70
id = "9d1dabed-5497-5325-b982-653aed3fd039"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* FileDescription AdvancedMalwareProtection */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007000790072006900670068007400200032003000310038002e } /* CompanyName Copyright */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030002e0030002e003000300030 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006400760061006e0063006500640020004d0061006c0077006100720065002000500072006f00740065006300740069006f006e } /* ProductName AdvancedMalwareProtection */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005a0041004d002e006500780065 } /* OriginalFilename ZAMexe */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200032003000310038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /amsdk/i
}
rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b"
date = "2023-06-14"
score = 70
id = "eff2a649-3401-5c91-8856-602c4e976982"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200032002c00200030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003900200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /elbycdio/i
}
rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b"
date = "2023-06-14"
score = 70
id = "932a6fdd-6631-5af4-94bf-7fbf48243d7f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0036 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003200200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
}
rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185"
date = "2023-06-14"
score = 70
id = "e786e683-d225-506b-ae7d-7c81aa4ac14d"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
}
rule PUA_VULN_Renamed_Driver_Arthurliberman_Alsysiosys_Alsysio_119C {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280"
date = "2023-06-14"
score = 70
id = "58289f86-0988-5bf7-b009-8315f1b3696f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004c0053007900730049004f00360034 } /* FileDescription ALSysIO */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041007200740068007500720020004c0069006200650072006d0061006e } /* CompanyName ArthurLiberman */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e00310031002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* InternalName ALSysIOsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004c0053007900730049004f00360034 } /* ProductName ALSysIO */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004c0053007900730049004f00360034002e007300790073 } /* OriginalFilename ALSysIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300033002d003200300031003900200041007200740068007500720020004c0069006200650072006d0061006e } /* LegalCopyright CopyrightCArthurLiberman */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ALSysIO64/i
}
rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24"
date = "2023-06-14"
score = 70
id = "51fc8e1a-fbf2-59cf-9cde-464859a4160c"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320035002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* OriginalFilename viragtsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000300036002c002000320030003100300020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i
}
rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_E839 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa"
date = "2023-06-14"
score = 70
id = "70173412-67b5-5647-ab39-354b69193668"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004300500055005f00430043 } /* FileDescription NTIOLibforMSICPUCC */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
}
rule PUA_VULN_Renamed_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physmemsys_Physicalmemoryaccessdriver_C299 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - physmem.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d"
date = "2023-06-14"
score = 70
id = "27aa8117-0bc2-5f84-98df-d7360bba16a4"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* FileDescription PhysicalMemoryAccessDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048 } /* CompanyName HilscherGesellschaftfrSystemaoutomationmbH */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* InternalName physmemsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0050006800790073006900630061006c0020004d0065006d006f0072007900200041006300630065007300730020004400720069007600650072 } /* ProductName PhysicalMemoryAccessDriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0070006800790073006d0065006d002e007300790073 } /* OriginalFilename physmemsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a9002000480069006c0073006300680065007200200047006500730065006c006c0073006300680061006600740020006600fc0072002000530079007300740065006d0061006f00750074006f006d006100740069006f006e0020006d00620048002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright HilscherGesellschaftfrSystemaoutomationmbHAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /physmem/i
}
rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_AF10 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a"
date = "2023-06-14"
score = 70
id = "defc1d03-fae1-5a21-b8ca-f39bdbecaad6"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003700200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i
}
rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47"
date = "2023-06-14"
score = 70
id = "8ea15559-48f5-5f9c-bf03-1ee3b0cac919"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
}
rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285"
date = "2023-06-14"
score = 70
id = "e5ec701e-320e-5991-988f-a1334b9a85ff"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200034 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100330020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i
}
rule PUA_VULN_Renamed_Driver_Cyreninc_Amp_Cyrenamp_CBB8 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amp.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6"
date = "2023-06-14"
score = 70
id = "b964d59a-0fbf-56be-ae31-323431384cf2"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d00500020004d0069006e006900660069006c007400650072 } /* FileDescription AMPMinifilter */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043005900520045004e00200049006e0063002e } /* CompanyName CYRENInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0034002e00310031002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d0050 } /* InternalName AMP */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043005900520045004e00200041004d005000200035 } /* ProductName CYRENAMP */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d0070002e007300790073 } /* OriginalFilename ampsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a9002000310039003900390020002d00200032003000310034002e00200043005900520045004e00200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCYRENIncAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /amp/i
}
rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35"
date = "2023-06-14"
score = 70
id = "39029753-a7bc-555f-9c5b-075e934f344a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007300750070006500720062006d0063 } /* FileDescription superbmc */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007300750070006500720062006d0063 } /* InternalName superbmc */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]007300750070006500720062006d0063 } /* ProductName superbmc */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007300750070006500720062006d0063002e007300790073 } /* OriginalFilename superbmcsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /superbmc/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1023 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4"
date = "2023-06-14"
score = 70
id = "d3a08d45-760a-538c-93ee-6363e1931b2a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0031002e0033003800300030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310038002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54"
hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5"
date = "2023-06-14"
score = 70
id = "0deb0c4b-e67b-5d53-bd95-3d7fd7833958"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0031002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0031002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003500200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
}
rule PUA_VULN_Renamed_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b"
date = "2023-06-14"
score = 70
id = "fc2c48af-ca7f-5481-b77a-1378df03f8c6"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530070006500650064002000460061006e00200078003300320020004400720069007600650072 } /* FileDescription SpeedFanxDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006c006d00690063006f00200053006f006600740077006100720065 } /* CompanyName AlmicoSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* FileVersion X */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00580034002e00340033002e00300034 } /* ProductVersion X */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* InternalName sfdrvxsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530070006500650064002000460061006e } /* ProductName SpeedFan */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00730066006400720076007800330032002e007300790073 } /* OriginalFilename sfdrvxsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200041006c006d00690063006f00200053006f00660074007700610072006500200032003000300031002d0032003000310030 } /* LegalCopyright CopyrightAlmicoSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sfdrvx32/i
}
rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5"
hash = "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c"
hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f"
hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece"
hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282"
date = "2023-06-14"
score = 70
id = "cc5590d8-d1c0-5abe-86ee-c68bf005031d"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0037 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f"
date = "2023-06-14"
score = 70
id = "515d9838-49af-5f17-aed3-47386b5ea8aa"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000340039 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4FF {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b"
hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b"
date = "2023-06-14"
score = 70
id = "5b79a437-d01b-588e-9ebb-b9ec5eaaffcc"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041004200590054004500200054006f006f006c0073 } /* FileDescription GIGABYTETools */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00300030002e0032003100390035002e0031003600320030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200032003000300030002000440044004b0020006400720069007600650072 } /* ProductName WindowsRDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d006900630072006f0073006f0066007400200043006f00720070002e00200031003900380031002d0031003900390039 } /* LegalCopyright CopyrightCMicrosoftCorp */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed"
date = "2023-06-14"
score = 70
id = "a949774e-d4d6-50bb-b95c-b9964f2c9054"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00350030002e0030002e0031003000340031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00350030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100340020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_F15A {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1"
date = "2023-06-14"
score = 70
id = "6effbb24-7e9f-5ba2-85fc-348719c1875d"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310035002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CorsairLLAccess64/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69"
date = "2023-06-14"
score = 70
id = "8d7f71b6-6477-58ed-8840-01f1431354d3"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100340030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200310020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566"
date = "2023-06-14"
score = 70
id = "dd403a42-674c-55b6-b22e-1b6abd0d64ad"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e0030002e0030002e0031003100370036 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289"
date = "2023-06-14"
score = 70
id = "4a38e7a2-564f-5e50-85ee-cd0d60a7e584"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0033002e00360038002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280"
date = "2023-06-14"
score = 70
id = "3f866c44-1ed4-5b68-b137-6c5867dbd23c"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100310037 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_D205 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_RCIO64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e"
date = "2023-06-14"
score = 70
id = "e20746e7-2863-50ad-9b62-2a0e68a229be"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e0031003900300031002e0031003100300030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f005200430049004f00360034002e007300790073 } /* OriginalFilename BSRCIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BS_RCIO64/i
}
rule PUA_VULN_Renamed_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwinddkdriver_38D8 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20"
hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f"
date = "2023-06-14"
score = 70
id = "4b8f46b5-c709-5fdf-a6d6-1cf7745fc989"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0049002000470065006e00650072006900630020005500740069006c0069007400790020004400720069007600650072 } /* FileDescription AMIGenericUtilityDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRWinDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0030002e00310030003000310031002e00310036003300380034 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* InternalName amifldrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000570069006e00200037002000440044004b0020006400720069007600650072 } /* ProductName WindowsRWinDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0061006d00690066006c006400720076002e007300790073 } /* OriginalFilename amifldrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /amifldrv64/i
}
rule PUA_VULN_Renamed_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxsys_Inpoutxdriverversion_X_F581 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpoutx64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af"
hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b"
hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d"
date = "2023-06-14"
score = 70
id = "8a86b8d4-fc20-5b4e-9ff7-f19d229d7eff"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00650072006e0065006c0020006c006500760065006c00200070006f0072007400200061006300630065007300730020006400720069007600650072 } /* FileDescription Kernellevelportaccessdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048006900670068007200650073006f006c007500740069006f006e00200045006e0074006500720070007200690073006500730020005b007700770077002e006800690067006800720065007a002e0063006f002e0075006b005d } /* CompanyName HighresolutionEnterpriseswwwhighrezcouk */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003200200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00320020007800360034 } /* ProductVersion x */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* InternalName inpoutxsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0069006e0070006f007500740078003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0032 } /* ProductName inpoutxDriverVersion */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0069006e0070006f00750074007800360034002e007300790073 } /* OriginalFilename inpoutxsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300030003800200048006900670068007200650073006f006c007500740069006f006e00200045006e007400650072007000720069007300650073002e00200050006f007200740069006f006e007300200043006f007000790072006900670068007400200028006300290020004c006f00670069007800340075 } /* LegalCopyright CopyrightcHighresolutionEnterprisesPortionsCopyrightcLogixu */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /inpoutx64/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56"
date = "2023-06-14"
score = 70
id = "616ba0c6-a6fe-550c-9e04-bbeba84118ba"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100390020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3"
date = "2023-06-14"
score = 70
id = "d8069eed-ff86-59ff-a410-12a8f57764e2"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100350037002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003900200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess_A334 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d"
hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b"
date = "2023-06-14"
score = 70
id = "08d52deb-a03e-5738-8416-71071d8f683a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* FileDescription CorsairLLAccess */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e } /* CompanyName CorsairMemoryInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310038002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* InternalName CorsairLLAccess */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* ProductName CorsairLLAccess */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043006f007200730061006900720020004c004c0020004100630063006500730073 } /* OriginalFilename CorsairLLAccess */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007200730061006900720020004d0065006d006f00720079002c00200049006e0063002e002000280063002900200032003000310039002c00200041006c006c0020007200690067006800740073002000720065007300650072007600650064 } /* LegalCopyright CorsairMemoryInccAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CorsairLLAccess64/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687"
date = "2023-06-14"
score = 70
id = "3ab90f44-3463-5e71-8637-b85450e8f45d"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e00350030002e0030002e0031003100320034 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e00350030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100350020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4"
date = "2023-06-14"
score = 70
id = "d348bd57-9044-5fcd-905f-795ae2e5adc4"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e00320030002e0030002e0031003000310032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e00320030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f002000410045004700490053 } /* ProductName TrendMicroAEGIS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003100300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlocker_F85C {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IObitUnlocker.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004"
date = "2023-06-14"
score = 70
id = "25ccdffd-65c4-52aa-9bd3-1bd219b28ad0"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0055006e006c006f0063006b006500720020004400720069007600650072 } /* FileDescription UnlockerDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049004f00620069007400200049006e0066006f0072006d006100740069006f006e00200054006500630068006e006f006c006f00670079 } /* CompanyName IObitInformationTechnology */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0030002e00310030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* InternalName IObitUnlockersys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0055006e006c006f0063006b00650072 } /* ProductName Unlocker */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0049004f0062006900740055006e006c006f0063006b00650072002e007300790073 } /* OriginalFilename IObitUnlockersys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a900200049004f006200690074002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright IObitAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /IObitUnlocker/i
}
rule PUA_VULN_Renamed_Driver_Razerinc_Rzpnk_Rzpnk_93D8 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63"
date = "2023-06-14"
score = 70
id = "d7f84859-7bbf-5077-bb7a-e3de30f7a458"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00520061007a006500720020004f007600650072006c0061007900200053007500700070006f00720074 } /* FileDescription RazerOverlaySupport */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00520061007a00650072002c00200049006e0063002e } /* CompanyName RazerInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e00310032002e00310030003100350035 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0052007a0070006e006b } /* InternalName Rzpnk */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0052007a0070006e006b } /* ProductName Rzpnk */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0052007a0070006e006b002e007300790073 } /* OriginalFilename Rzpnksys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310030002d0032003000310037002e002000520061007a00650072002c00200049006e0063002e } /* LegalCopyright CopyrightCRazerInc */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rzpnk/i
}
rule PUA_VULN_Renamed_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_358A {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69"
date = "2023-06-14"
score = 70
id = "7c0bdc84-8e81-5a5f-be68-c166478147fb"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00570069007300650055006e006c006f } /* FileDescription WiseUnlo */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069007300650043006c00650061006e00650072002e0063006f006d } /* CompanyName WiseCleanercom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0032002e00310033 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* InternalName WiseUnlosys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069007300650055006e006c006f } /* ProductName WiseUnlo */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00570069007300650055006e006c006f002e007300790073 } /* OriginalFilename WiseUnlosys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000310035 } /* LegalCopyright Copyright */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WiseUnlo/i
}
rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_9B6A {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4"
date = "2023-06-14"
score = 70
id = "6c6c46f1-00ad-5a6f-89f4-7fd7911676ac"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00320037 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00320037 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310039 } /* LegalCopyright CopyrightCMarkRussinovich */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_7D43 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea"
date = "2023-06-14"
score = 70
id = "ae0da285-f043-5d20-8157-8b33c827f488"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700360031002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310034002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee"
date = "2023-06-14"
score = 70
id = "a2496fca-4e17-54a1-af5b-016e74c3adaa"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0030002e0031003000310036 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_9491 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5"
date = "2023-06-14"
score = 70
id = "e8f74917-d750-52e4-a9d0-832620ef8b24"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsroperatingsystem_04A8 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162"
date = "2023-06-14"
score = 70
id = "0fa674cc-8084-5a92-804b-3572af484c63"
strings:
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00460055004a00490054005300550020004c0049004d0049005400450044002e } /* CompanyName FUJITSULIMITED */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002c00200030002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* InternalName ADVDRVsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d006900630072006f0073006f006600740052002000570069006e0064006f0077007300520020004f007000650072006100740069006e0067002000530079007300740065006d } /* ProductName MicrosoftRWindowsROperatingSystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00410044005600360034004400520056002e007300790073 } /* OriginalFilename ADVDRVsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002800430029002000460055004a00490054005300550020004c0049004d004900540045004400200032003000300035 } /* LegalCopyright CopyrightCFUJITSULIMITED */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ADV64DRV/i
}
rule PUA_VULN_Renamed_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amdryzenmasterservicedriver_FF96 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5"
date = "2023-06-14"
score = 70
id = "d857b678-5cd6-5784-b9ae-b5171c811a9d"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* FileDescription AMDRyzenMasterServiceDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073 } /* CompanyName AdvancedMicroDevices */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* InternalName AMDRyzenMasterDriversys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d0044002000520079007a0065006e0020004d00610073007400650072002000530065007200760069006300650020004400720069007600650072 } /* ProductName AMDRyzenMasterServiceDriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d004400520079007a0065006e004d00610073007400650072004400720069007600650072002e007300790073 } /* OriginalFilename AMDRyzenMasterDriversys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020003200300031003900200041004d0044002c00200049006e0063002e } /* LegalCopyright CopyrightAMDInc */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDRyzenMasterDriver/i
}
rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c"
date = "2023-06-14"
score = 70
id = "dce72757-4557-559c-89d3-3c526628ccbd"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* FileDescription */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310035002e00300030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310035002e00300030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0020002000200020002000200020002000200020002000200020002000200020 } /* ProductName */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000310034 } /* LegalCopyright CopyrightCMarkRussinovich */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
}
rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a"
date = "2023-06-14"
score = 70
id = "a83e9bdc-24f4-54a1-aad9-80e84b9e3502"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003300320020007800380036002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e0037002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e0037002e0031002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300037002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SANDRA/i
}
rule PUA_VULN_Renamed_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amduprof_0AF5 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05"
date = "2023-06-14"
score = 70
id = "7c820b70-f985-596b-8426-05035c0bfafc"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041004d004400200050006f007700650072002000500072006f00660069006c0069006e00670020004400720069007600650072 } /* FileDescription AMDPowerProfilingDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041006400760061006e0063006500640020004d006900630072006f00200044006500760069006300650073002c00200049006e0063002e } /* CompanyName AdvancedMicroDevicesInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0031002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0034002e003400390033002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* InternalName AMDPowerProfilersys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041004d00440020007500500072006f0066 } /* ProductName AMDuProf */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0041004d00440050006f00770065007200500072006f00660069006c00650072002e007300790073 } /* OriginalFilename AMDPowerProfilersys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020003200300032003100200041004d004400200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright AMDIncAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /AMDPowerProfiler/i
}
rule PUA_VULN_Renamed_Driver_Realtek_Rtkiosys_Realtekiodriver_074A {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761"
date = "2023-06-14"
score = 70
id = "9f1349f3-a816-5209-bf11-d84dfa035169"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e00320030003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300036002e0030003100310038002e0032003000310037 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* InternalName rtkiosys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f00360034002e0073007900730020 } /* OriginalFilename rtkiosys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio64/i
}
rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_98B7 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8"
date = "2023-06-14"
score = 70
id = "7fc1fa6a-9c53-51b8-8c41-cdffe6baa132"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f0072002000440065006200750067004c00450044 } /* FileDescription NTIOLibforDebugLED */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
}
rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_9A95 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c"
date = "2023-06-14"
score = 70
id = "96f9b580-772e-5b98-ad82-06fcd246a980"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310036002e003200380037 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
}
rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775"
date = "2023-06-14"
score = 70
id = "200441c8-14b2-5c30-afe7-2b1a0a979827"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0034 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003100200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
}
rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_2BBC {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1"
date = "2023-06-14"
score = 70
id = "0c7fa8ed-1c1b-524a-b81d-62c145832fd9"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00310038002e003300370031 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
}
rule PUA_VULN_Renamed_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Lv561av.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4"
date = "2023-06-14"
score = 70
id = "599205df-343a-5d3d-9894-c1d1f67e8805"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004c006f00670069007400650063006800200056006900640065006f0020004400720069007600650072 } /* FileDescription LogitechVideoDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004c006f00670069007400650063006800200049006e0063002e } /* CompanyName LogitechInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310032002e00300030002e0031003200370038002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* InternalName Lvavsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004c006f006700690074006500630068002000570065006200630061006d00200053006f006600740077006100720065 } /* ProductName LogitechWebcamSoftware */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004c007600350036003100610076002e007300790073 } /* OriginalFilename Lvavsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00280063002900200031003900390036002d00320030003000390020004c006f006700690074006500630068002e002000200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright cLogitechAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 600KB and all of them and not filename matches /Lv561av/i
}
rule PUA_VULN_Renamed_Driver_Hpinc_Hpportioxsys_Hpportio_C505 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5"
date = "2023-06-14"
score = 70
id = "668c02d0-dabf-598f-8c90-5d6f0e3399e2"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800700050006f007200740049006f } /* FileDescription HpPortIo */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0048005000200049006e0063002e } /* CompanyName HPInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e0039 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* InternalName HpPortIoxsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004800700050006f007200740049006f } /* ProductName HpPortIo */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004800700050006f007200740049006f007800360034002e007300790073 } /* OriginalFilename HpPortIoxsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002d003200300032003100200048005000200049006e0063002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCHPIncAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HpPortIox64/i
}
rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89"
date = "2023-06-14"
score = 70
id = "f8eac5b8-e6b4-5749-aa2a-a5e7feefd389"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300039002e0030003700300039002e0032003000320030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003200300020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkio64/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecuritysystem_2CE8 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1"
date = "2023-06-14"
score = 70
id = "fe86a574-2863-59d4-8021-d1a16d3f8cb2"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AVGAntiRootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e00310030002e003100370031002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000320030002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_9254 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b"
date = "2023-06-14"
score = 70
id = "cc1da8e7-b6ef-5580-93f3-d1d0ce2ddac7"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c0069006200200066006f00720020004d00530049004400440052005f00430043 } /* FileDescription NTIOLibforMSIDDRCC */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300038002d00320030003000390020004d00530049002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCMSIAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
}
rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NalDrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b"
hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df"
date = "2023-06-14"
score = 70
id = "940ec295-fcb3-58ed-94fc-41d27943ff0e"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0030002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0030002e0037 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003300200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NalDrv/i
}
rule PUA_VULN_Renamed_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow10x64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993"
date = "2023-06-14"
score = 70
id = "062699e5-a4c4-5428-9867-450293bd591f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005200650061006c00740065006b00200049004f0020004400720069007600650072 } /* FileDescription RealtekIODriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005200650061006c00740065006b00200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* CompanyName Realtek */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e003000300038002e0030003800320033002e0032003000310037 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* InternalName rtkiowxsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005200650061006c00740065006b00200049004f00200044007200690076006500720020002000200020002000200020002000200020002000200020002000200020002000200020002000200020 } /* ProductName RealtekIODriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00720074006b0069006f007700310030007800360034002e0073007900730020 } /* OriginalFilename rtkiowxsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100370020005200650061006c00740065006b002000530065006d00690063006f006e0064007500630074006f007200200043006f00720070006f0072006100740069006f006e002e00200041006c006c002000520069006700680074002000520065007300650072007600650064002e002000200020002000200020002000200020002000200020 } /* LegalCopyright CopyrightCRealtekSemiconductorCorporationAllRightReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /rtkiow10x64/i
}
rule PUA_VULN_Renamed_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_X_43BA {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89"
date = "2023-06-14"
score = 70
id = "8db66d7c-9c5b-5ec5-a0d3-6eeac0faad51"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004d004900430053005900530020006400720069007600650072 } /* FileDescription MICSYSdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0049004300530059005300200054006500630068006e006f006c006f0067007900200043006f002e002c0020004c00540064 } /* CompanyName MICSYSTechnologyCoLTd */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003100200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00310020007800360034 } /* ProductVersion x */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* InternalName MsIosys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004d00730049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0031 } /* ProductName MsIoDriverVersion */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004d00730049006f00360034002e007300790073 } /* OriginalFilename MsIosys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003100390020004d00490043005300590053 } /* LegalCopyright CopyrightcMICSYS */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /MsIo64/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_1078 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c"
date = "2023-06-14"
score = 70
id = "d8ad2385-f6ec-54df-b61e-e39d7e42ab9f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0033002e0034003200330039002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftwaredriver_26C2 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097"
date = "2023-06-14"
score = 70
id = "a054c49f-545a-50e4-9233-aa02e16be947"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0047004900470041002d00420059005400450020004e006f006e0050006e00500020004400720069007600650072 } /* FileDescription GIGABYTENonPnPDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0047004900470041002d004200590054004500200054004500430048004e004f004c004f0047005900200043004f002e002c0020004c00540044002e } /* CompanyName GIGABYTETECHNOLOGYCOLTD */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0035 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0067006400720076002e007300790073 } /* InternalName gdrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0047004900470041002d004200590054004500200053006f0066007400770061007200650020006400720069007600650072 } /* ProductName GIGABYTESoftwaredriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0067006400720076002e007300790073 } /* OriginalFilename gdrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310037 } /* LegalCopyright CopyrightC */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /gdrv/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64"
date = "2023-06-14"
score = 70
id = "699ffd4c-b617-5176-8309-f29c2cb00441"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0037002e00330030002e0030002e0031003000390039 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0037002e00330030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003100380020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 500KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Windowsrcodenamelonghornddkdriver_159E {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WCPU.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980"
date = "2023-06-14"
score = 70
id = "c8838651-0a16-565f-8d0a-0bafb7655f34"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041005300550053002000540044004500200043005000550020004400720069007600650072 } /* FileDescription ASUSTDECPUDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRCodenameLonghornDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e003100360033003800360020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030002e0036003000300030002e00310036003300380036 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* InternalName CPUDriver */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f00770073002000280052002900200043006f00640065006e0061006d00650020004c006f006e00670068006f0072006e002000440044004b0020006400720069007600650072 } /* ProductName WindowsRCodenameLonghornDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043005000550020004400720069007600650072 } /* OriginalFilename CPUDriver */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020006200790020004100530055005300540065006b00200043004f004d0050005500540045005200200049004e0043002e00200032003000300036 } /* LegalCopyright CopyrightbyASUSTekCOMPUTERINC */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /WCPU/i
}
rule PUA_VULN_Renamed_Driver_Msi_Ntiolibsys_Ntiolib_1DDF {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219"
date = "2023-06-14"
score = 70
id = "2dd7f773-866a-5d1b-9048-9f632a5940fd"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e00540049004f004c00690062 } /* FileDescription NTIOLib */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d00530049 } /* CompanyName MSI */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030002e0033 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* InternalName NTIOLibsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e00540049004f004c00690062 } /* ProductName NTIOLib */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00540049004f004c00690062002e007300790073 } /* OriginalFilename NTIOLibsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100360020004d006900630072006f002d005300740061007200200049004e00540027004c00200043004f002e002c0020004c00540044002e } /* LegalCopyright CopyrightCMicroStarINTLCOLTD */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NTIOLib/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad"
date = "2023-06-14"
score = 70
id = "8ecfdace-3521-59b7-8f71-357e6aa89f12"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e0030002e0030002e0031003000370032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HW.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c"
hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5"
date = "2023-06-14"
score = 70
id = "7d87c723-84b9-56cd-84e1-ef5cdbd61d13"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004800570020002d002000570069006e0064006f007700730020004e0054002d00380020002800330032002f00360034002000620069007400290020006b00650072006e0065006c0020006d006f00640065002000640072006900760065007200200066006f007200200050004300200070006f007200740073002f006d0065006d006f00720079002f0050004300490020006100630063006500730073 } /* FileDescription HWWindowsNTbitkernelmodedriverforPCportsmemoryPCIaccess */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e } /* CompanyName MarvinTestSolutionsInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0038002e0032002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00480077002e007300790073 } /* InternalName Hwsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00480057 } /* ProductName HW */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00480057002e007300790073 } /* OriginalFilename HWsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200031003900390036002d00320030003100350020004d0061007200760069006e0020005400650073007400200053006f006c007500740069006f006e0073002c00200049006e0063002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightMarvinTestSolutionsIncAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /HW/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_6E0A {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf"
date = "2023-06-14"
score = 70
id = "cf02e07e-5d9c-55ee-a253-3a1c28ee77bc"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0036002e0034003200330035002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_A2F4 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1"
date = "2023-06-14"
score = 70
id = "ffbaa9ba-f68a-554a-9fe8-544bb2e4880f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0032002e0034003100380031002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvflash.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508"
date = "2023-06-14"
score = 70
id = "43d4d647-32f2-5838-9182-c72420786bdb"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072002c002000560065007200730069006f006e00200031002e0038002e0030 } /* FileDescription NVIDIAFlashDriverVersion */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004e0056004900440049004100200043006f00720070006f0072006100740069006f006e } /* CompanyName NVIDIACorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0038002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0038002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006e00760066006c006100730068 } /* InternalName nvflash */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004e0056004900440049004100200046006c0061007300680020004400720069007600650072 } /* ProductName NVIDIAFlashDriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006e00760066006c006100730068002e007300790073 } /* OriginalFilename nvflashsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]002800430029002000320030003100370020004e0056004900440049004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CNVIDIACorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /nvflash/i
}
rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439"
date = "2023-06-14"
score = 70
id = "4dd6a8d8-f4b0-5a4f-889f-288c3c58564c"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200034 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
}
rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicbyvektortrev_26F4 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712"
date = "2023-06-14"
score = 70
id = "3ad3446c-e086-5f48-9494-b40dc410d350"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100310039003200330030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100380020005000750062006c00690063002000620079002000560065006b0074006f0072002000540031003300200028007200650076002e003000350029 } /* ProductName AntidetectPublicbyVektorTrev */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100380020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /VBoxDrv/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f"
date = "2023-06-14"
score = 70
id = "aecc5ac9-d563-53cd-8c12-c8c21bd69772"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00370030002e0030002e0031003100320038 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00370030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9"
hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc"
date = "2023-06-14"
score = 70
id = "5486718a-942a-5c48-b2ba-619ec75f9a5f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004100540053005a0049004f0020004400720069007600650072 } /* FileDescription ATSZIODriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]004100530055005300540065006b00200043006f006d0070007500740065007200200049006e0063002e } /* CompanyName ASUSTekComputerInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0030002e0032002e0031002e0036 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* InternalName ATSZIOsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004100540053005a0049004f0020004400720069007600650072 } /* ProductName ATSZIODriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004100540053005a0049004f002e007300790073 } /* OriginalFilename ATSZIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310032 } /* LegalCopyright CopyrightC */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ATSZIO/i
}
rule PUA_VULN_Renamed_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b"
date = "2023-06-14"
score = 70
id = "af3aeaf1-cf11-534a-98ce-f0fc91a55594"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530061006e006400720061002000440065007600690063006500200044007200690076006500720020002800570069006e003600340020007800360034002900280055006e00690063006f006400650029 } /* FileDescription SandraDeviceDriverWinxUnicode */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300690053006f006600740077006100720065 } /* CompanyName SiSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002e00310031002e0031002e00310020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002e00310031002e0031002e0031 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530041004e004400520041 } /* InternalName SANDRA */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005300690053006f006600740077006100720065002000530061006e006400720061 } /* ProductName SiSoftwareSandra */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530041004e004400520041 } /* OriginalFilename SANDRA */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a90020005300690053006f0066007400770061007200650020004c0074006400200031003900390035002d0032003000300038002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSiSoftwareLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /sandra/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c"
date = "2023-06-14"
score = 70
id = "c982914b-d99f-5ff4-a520-285308d54947"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0030002e0030002e0031003100310038 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410045004700490053 } /* ProductName AEGIS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300035002d00320030003000370020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Symanteccorporation_Vproeventmonitorsys_Symanteceventmonitorsdriverdevelopmentedition_7877 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VProEventMonitor.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca"
date = "2023-06-14"
score = 70
id = "9c70d8f6-1bd9-5a04-be49-ba4eb5d3bbb3"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e0053007900730020002d0020004500760065006e00740020004d006f006e00690074006f00720069006e00670020006400720069007600650072 } /* FileDescription VProEventMonitorSysEventMonitoringdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e } /* CompanyName SymantecCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0030002e0030002e00340035003700300038 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* InternalName VProEventMonitorSys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079006d0061006e0074006500630020004500760065006e00740020004d006f006e00690074006f00720073002000440072006900760065007200200044006500760065006c006f0070006d0065006e0074002000450064006900740069006f006e } /* ProductName SymantecEventMonitorsDriverDevelopmentEdition */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]005600500072006f004500760065006e0074004d006f006e00690074006f0072002e005300790073 } /* OriginalFilename VProEventMonitorSys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300037002d0032003000300038002000530079006d0061006e00740065006300200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightSymantecCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /VProEventMonitor/i
}
rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_C725 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - krpocesshacker.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c"
date = "2023-06-14"
score = 70
id = "6fc3cdb0-6d5f-56f8-8f36-0ff5bef55de3"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0038 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0038 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /krpocesshacker/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed"
date = "2023-06-14"
score = 70
id = "0319c351-404e-5272-b0d5-952ce977838f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200041006e0074006900200052006f006f0074006b00690074 } /* FileDescription AvastAntiRootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00320030002e0034002e00380033002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074 } /* InternalName aswArPot */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300032003000200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd"
date = "2023-06-14"
score = 70
id = "87a0873b-23fb-5a11-a3f4-942f30cdcfa7"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00360030002e0030002e0031003000380034 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00360030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000200028004300290020002000320030003200300020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiiodriverversion_X_2121 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CtiIo64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109"
date = "2023-06-14"
score = 70
id = "a8590fdf-3af6-5231-b089-bb07eef1e2d4"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00430054004900200049004f0020006400720069007600650072 } /* FileDescription CTIIOdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0043007200650061007400690076006500200054006500630068006e006f006c006f0067007900200049006e006e006f0076006100740069006f006e00200043006f002e002c0020004c00540064002e } /* CompanyName CreativeTechnologyInnovationCoLTd */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e003000200078003600340020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion xbuiltbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300020007800360034 } /* ProductVersion x */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* InternalName CtiIosys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043007400690049006f003600340020004400720069007600650072002000560065007200730069006f006e00200031002e0030 } /* ProductName CtiIoDriverVersion */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0043007400690049006f00360034002e007300790073 } /* OriginalFilename CtiIosys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800630029002000320030003200310020004300540049 } /* LegalCopyright CopyrightcCTI */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /CtiIo64/i
}
rule PUA_VULN_Renamed_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysDrv3S.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b"
date = "2023-06-14"
score = 70
id = "820cc12f-f611-50d6-8091-4aca403d3e97"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00530079007300440072007600330053 } /* FileDescription SysDrvS */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00330053002d0053006d00610072007400200053006f00660074007700610072006500200053006f006c007500740069006f006e007300200047006d00620048 } /* CompanyName SSmartSoftwareSolutionsGmbH */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002c0035002c0036002c0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0035002e0036002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00530079007300440072007600330053 } /* InternalName SysDrvS */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530079007300440072007600330053 } /* ProductName SysDrvS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00530079007300440072007600330053002e007300790073 } /* OriginalFilename SysDrvSsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000a900200032003000300036002d0032003000310034 } /* LegalCopyright Copyright */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /SysDrv3S/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8"
date = "2023-06-14"
score = 70
id = "92155ad4-0564-570b-8b9b-39ec68a937af"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310037002e0039002e0033003700350034002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003400200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserverddkdriver_3871 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz_x64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3"
date = "2023-06-14"
score = 70
id = "4a81c778-c70d-57f7-b57e-3f2de7bfbd27"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004300500055004900440020004400720069007600650072 } /* FileDescription CPUIDDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b002000700072006f00760069006400650072 } /* CompanyName WindowsRServerDDKprovider */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0035002e0032002e0033003700390030002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006300700075007a002e007300790073 } /* InternalName cpuzsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00570069006e0064006f007700730020002800520029002000530065007200760065007200200032003000300033002000440044004b0020006400720069007600650072 } /* ProductName WindowsRServerDDKdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006300700075007a002e007300790073 } /* OriginalFilename cpuzsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]00a90020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright MicrosoftCorporationAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /cpuz_x64/i
}
rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9"
date = "2023-06-14"
score = 70
id = "8f7f8c67-774d-5864-a9a9-e43896a8e1f4"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0033002e0032002e003100370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0033002e0032002e00310037 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003800200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
}
rule PUA_VULN_Renamed_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospackage_3143 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073"
date = "2023-06-14"
score = 70
id = "c37e0f2e-edf4-57bc-96d3-2256241603b7"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00420049004f00530020005500700064006100740065002000440072006900760065007200200046006f0072002000570069006e0064006f007700730020007800360034002000450064006900740069006f006e } /* FileDescription BIOSUpdateDriverForWindowsxEdition */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e } /* CompanyName TOSHIBACorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0034002e0032002e0034002e00300020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0034002e0032002e0034002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* InternalName NCHGBIOSxSYS */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0054004f00530048004900420041002000420049004f00530020005000610063006b006100670065 } /* ProductName TOSHIBABIOSPackage */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]004e00430048004700420049004f00530032007800360034002e005300590053 } /* OriginalFilename NCHGBIOSxSYS */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200031003900390039002d003200300031003200200054004f0053004800490042004100200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCTOSHIBACorporationAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /NCHGBIOS2x64/i
}
rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_5439 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91"
hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd"
date = "2023-06-14"
score = 70
id = "f2b28250-5041-59a9-a49f-9b9597e630ef"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320031002e00360033 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /zam64/i
}
rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_30AB {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb"
date = "2023-06-14"
score = 70
id = "d9027c11-b261-5751-a75f-149cc317a186"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310031002e00330030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310031002e00330030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d002e002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000300038 } /* LegalCopyright CopyrightCMRussinovich */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
}
rule PUA_VULN_Renamed_Driver_Zemanaltd_Zam_DE8F {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c"
date = "2023-06-14"
score = 70
id = "529c87c6-e363-57ca-894e-84af66030798"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005a0041004d } /* FileDescription ZAM */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005a0065006d0061006e00610020004c00740064002e } /* CompanyName ZemanaLtd */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e00320030002e003100300034 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005a0041004d } /* ProductName ZAM */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]005a0065006d0061006e00610020004c00740064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright ZemanaLtdAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /zam64/i
}
rule PUA_VULN_Renamed_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52"
date = "2023-06-14"
score = 70
id = "9607a849-b445-5b65-8aec-34c637c49101"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]007000680079006d0065006d0020004100700070006c00690063006100740069006f006e } /* FileDescription phymemApplication */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* CompanyName SuperMicroComputerInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007000680079006d0065006d } /* InternalName phymem */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]007000680079006d0065006d } /* ProductName phymem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]007000680079006d0065006d002e007300790073 } /* OriginalFilename phymemsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400280063002900200031003900390033002d00320030003100350020005300750070006500720020004d006900630072006f00200043006f006d00700075007400650072002c00200049006e0063002e } /* LegalCopyright CopyrightcSuperMicroComputerInc */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /phymem64/i
}
rule PUA_VULN_Renamed_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Processexplorer_16A2 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1"
hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb"
date = "2023-06-14"
score = 70
id = "4f275c35-b939-507c-8c6b-2851cc48cd35"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* FileDescription ProcessExplorer */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0053007900730069006e007400650072006e0061006c00730020002d0020007700770077002e0073007900730069006e007400650072006e0061006c0073002e0063006f006d } /* CompanyName Sysinternalswwwsysinternalscom */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310036002e00340032 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310036002e00340032 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00700072006f0063006500780070002e007300790073 } /* InternalName procexpsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500072006f00630065007300730020004500780070006c006f007200650072 } /* ProductName ProcessExplorer */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00700072006f0063006500780070002e005300790073 } /* OriginalFilename procexpSys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028004300290020004d00610072006b002000520075007300730069006e006f007600690063006800200031003900390036002d0032003000320031 } /* LegalCopyright CopyrightCMarkRussinovich */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /procexp/i
}
rule PUA_VULN_Renamed_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_CFB7 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40"
date = "2023-06-14"
score = 70
id = "e8b4df5f-9449-5943-ad88-479215dbca33"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00560065006b0074006f0072002000540031003300200053006500630075007200690074007900200053006500720076006900630065 } /* CompanyName VektorTSecurityService */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0034002e0030002e003100310039003200330030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041006e00740069006400650074006500630074002000320030003100390020005000750062006c00690063 } /* ProductName AntidetectPublic */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002d00320030003100390020004f007200610063006c006500200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCOracleCorporation */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them and not filename matches /VBoxDrv/i
}
rule PUA_VULN_Renamed_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C894 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada"
date = "2023-06-14"
score = 70
id = "398bc71f-c1a6-57bb-81df-6e378a64e39a"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* CompanyName SunMicrosystemsInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* FileVersion r */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0032002e0032002e0034002e007200340037003900370038 } /* ProductVersion r */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* InternalName VBoxDrvsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00530075006e0020005600690072007400750061006c0042006f0078 } /* ProductName SunVirtualBox */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300039002000530075006e0020004d006900630072006f00730079007300740065006d0073002c00200049006e0063002e } /* LegalCopyright CopyrightCSunMicrosystemsInc */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /VBoxDrv/i
}
rule PUA_VULN_Renamed_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4"
date = "2023-06-14"
score = 70
id = "70296e41-c455-5353-a682-272346ecc4c8"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072007400750061006c0042006f007800200053007500700070006f007200740020004400720069007600650072 } /* FileDescription VirtualBoxSupportDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00500069006e00640075006f00640075006f0020004c0074006400200043006f00720070 } /* CompanyName PinduoduoLtdCorp */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e0032002e0030002e003100330037003900300034 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]00560042006f0078004400720076 } /* InternalName VBoxDrv */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00500069006e00640075006f00640075006f00200053006500630075007200650020005600440049 } /* ProductName PinduoduoSecureVDI */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00560042006f0078004400720076002e007300790073 } /* OriginalFilename VBoxDrvsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310035002d0032003000320031002000500069006e00640075006f00640075006f00200043006f00720070006f0072006100740069006f006e } /* LegalCopyright CopyrightCPinduoduoCorporation */
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and all of them and not filename matches /VBoxDrv/i
}
rule PUA_VULN_Renamed_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506"
date = "2023-06-14"
score = 70
id = "bf7ca47b-217f-50a3-a634-d34a788c0e6d"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* FileDescription VirITAgentSystem */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0054004700200053006f0066007400200053002e0061002e0073002e } /* CompanyName TGSoftSas */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002c00200030002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]007600690072006100670074002e007300790073 } /* InternalName viragtsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005600690072004900540020004100670065006e0074002000530079007300740065006d } /* ProductName VirITAgentSystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00760069007200610067007400360034002e007300790073 } /* OriginalFilename viragtsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200054004700200053006f0066007400200053002e0061002e0073002e00200032003000310031002c002000320030003100320020002d0020007700770077002e007400670073006f00660074002e00690074 } /* LegalCopyright CopyrightCTGSoftSaswwwtgsoftit */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /viragt64/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_8CFD {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9"
date = "2023-06-14"
score = 70
id = "2ef0b4a6-b99a-5726-b485-08ad34af82c2"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0037002e0034003200340036002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9"
date = "2023-06-14"
score = 70
id = "ee625dbd-bb74-5c20-bfd9-05a50b0ab728"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0036002e0033003900370039002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Wj_Kprocesshacker_7021 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4"
date = "2023-06-14"
score = 70
id = "d913ce75-2d9f-58e5-8cf9-c58062b16116"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* FileDescription KProcessHacker */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0077006a00330032 } /* CompanyName wj */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0033002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0033002e0030 } /* ProductVersion */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]004b00500072006f0063006500730073004800610063006b00650072 } /* ProductName KProcessHacker */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006b00700072006f0063006500730073006800610063006b00650072002e007300790073 } /* OriginalFilename kprocesshackersys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]004c006900630065006e00730065006400200075006e006400650072002000740068006500200047004e0055002000470050004c002c002000760033002e } /* LegalCopyright LicensedundertheGNUGPLv */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /kprocesshacker/i
}
rule PUA_VULN_Renamed_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524"
date = "2023-06-14"
score = 70
id = "dbfbd9f6-bb1e-5d55-bf0c-0c33f1947de0"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]005400720065006e0064004d006900630072006f00200043006f006d006d006f006e0020004d006f00640075006c0065 } /* FileDescription TrendMicroCommonModule */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200049006e0063002e } /* CompanyName TrendMicroInc */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002e00320030002e0030002e0031003000300038 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002e00320030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* InternalName TmCommsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]005400720065006e00640020004d006900630072006f00200045007900650073 } /* ProductName TrendMicroEyes */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0054006d0043006f006d006d002e007300790073 } /* OriginalFilename TmCommsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003100330020005400720065006e00640020004d006900630072006f00200049006e0063006f00720070006f00720061007400650064002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e } /* LegalCopyright CopyrightCTrendMicroIncorporatedAllrightsreserved */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /TmComm/i
}
rule PUA_VULN_Renamed_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_HWMIO64_W10.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8"
date = "2023-06-14"
score = 70
id = "f149cf06-3087-5976-9b85-3779caa99ab5"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049002f004f00200049006e00740065007200660061006300650020006400720069007600650072002000660069006c0065 } /* FileDescription IOInterfacedriverfile */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00420049004f0053005400410052002000470072006f00750070 } /* CompanyName BIOSTARGroup */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310030002c00200030002c00200031003800300036002c00200032003200300030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0049002f004f0020006400720069007600650072 } /* InternalName IOdriver */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00420049004f005300540041005200200049002f004f0020006400720069007600650072 } /* ProductName BIOSTARIOdriver */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]00420053005f00480057004d0049004f00360034005f005700310030002e007300790073 } /* OriginalFilename BSHWMIOWsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280063002900200032003000310038002d0032003000310039002000420049004f0053005400410052002000470072006f00750070 } /* LegalCopyright CopyrightcBIOSTARGroup */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /BS_HWMIO64_W10/i
}
rule PUA_VULN_Renamed_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecuritysystem_E2E7 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6"
date = "2023-06-14"
score = 70
id = "d31d0885-997d-54ac-8dc0-dc4703b0a105"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]00410056004700200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription AVGantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]00410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* CompanyName AVGTechnologiesCZsro */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310039002e0034002e0034003200310031002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]00410056004700200049006e007400650072006e00650074002000530065006300750072006900740079002000530079007300740065006d0020 } /* ProductName AVGInternetSecuritySystem */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000310039002000410056004700200054006500630068006e006f006c006f006700690065007300200043005a002c00200073002e0072002e006f002e } /* LegalCopyright CopyrightCAVGTechnologiesCZsro */
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}
rule PUA_VULN_Renamed_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683"
date = "2023-06-14"
score = 70
id = "fa919157-ac17-529a-ac52-77794cfaae58"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0049006e00740065006c0028005200290020004e006500740077006f0072006b0020004100640061007000740065007200200044006900610067006e006f00730074006900630020004400720069007600650072 } /* FileDescription IntelRNetworkAdapterDiagnosticDriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0049006e00740065006c00200043006f00720070006f0072006100740069006f006e0020 } /* CompanyName IntelCorporation */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0031002e00300033002e0032002e00370020006200750069006c0074002000620079003a002000570069006e00440044004b } /* FileVersion builtbyWinDDK */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0031002e00300033002e0032002e0037 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* InternalName iQVWSYS */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0049006e00740065006c0028005200290020006900510056005700360034002e005300590053 } /* ProductName IntelRiQVWSYS */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006900510056005700360034002e005300590053 } /* OriginalFilename iQVWSYS */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f0070007900720069006700680074002000280043002900200032003000300032002d003200300031003600200049006e00740065006c00200043006f00720070006f0072006100740069006f006e00200041006c006c0020005200690067006800740073002000520065007300650072007600650064002e } /* LegalCopyright CopyrightCIntelCorporationAllRightsReserved */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /iQVW64/i
}
rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d"
date = "2023-06-14"
score = 70
id = "604edf79-865e-5d1e-bc2d-b2948d4ba5c1"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f00770073002000780036003400200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsxIOdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200031 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003800200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
}
rule PUA_VULN_Renamed_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ElbyCDIO.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60"
date = "2023-06-14"
score = 70
id = "96c759e8-6824-5845-82fc-512810a6cc8f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0045006c0062007900430044002000570069006e0064006f007700730020004e0054002f0032003000300030002f0058005000200049002f004f0020006400720069007600650072 } /* FileDescription ElbyCDWindowsNTXPIOdriver */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* CompanyName ElaborateBytesAG */
$ = { 00460069006c006500560065007200730069006f006e[1-8]0036002c00200030002c00200031002c00200030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]0036002c00200030002c00200030002c00200030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]0045006c00620079004300440049004f } /* InternalName ElbyCDIO */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0043004400520054006f006f006c0073 } /* ProductName CDRTools */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]0045006c00620079004300440049004f002e007300790073 } /* OriginalFilename ElbyCDIOsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f00700079007200690067006800740020002800430029002000320030003000300020002d0020003200300030003700200045006c00610062006f0072006100740065002000420079007400650073002000410047 } /* LegalCopyright CopyrightCElaborateBytesAG */
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them and not filename matches /ElbyCDIO/i
}
rule PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 {
meta:
description = "Detects renamed vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys"
author = "Florian Roth"
reference = "https://github.com/magicsword-io/LOLDrivers"
hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba"
date = "2023-06-14"
score = 70
id = "dfb8899e-3cbb-55c5-b531-761200da2d8f"
strings:
$ = { 00460069006c0065004400650073006300720069007000740069006f006e[1-8]0041007600610073007400200061006e0074006900200072006f006f0074006b00690074 } /* FileDescription Avastantirootkit */
$ = { 0043006f006d00700061006e0079004e0061006d0065[1-8]0041005600410053005400200053006f006600740077006100720065 } /* CompanyName AVASTSoftware */
$ = { 00460069006c006500560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* FileVersion */
$ = { 00500072006f006400750063007400560065007200730069006f006e[1-8]00310038002e0037002e0034003000310036002e0030 } /* ProductVersion */
$ = { 0049006e007400650072006e0061006c004e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* InternalName aswArPotsys */
$ = { 00500072006f0064007500630074004e0061006d0065[1-8]0041007600610073007400200041006e00740069007600690072007500730020 } /* ProductName AvastAntivirus */
$ = { 004f0072006900670069006e0061006c00460069006c0065006e0061006d0065[1-8]006100730077004100720050006f0074002e007300790073 } /* OriginalFilename aswArPotsys */
$ = { 004c006500670061006c0043006f0070007900720069006700680074[1-8]0043006f007000790072006900670068007400200028006300290020003200300031003800200041005600410053005400200053006f006600740077006100720065 } /* LegalCopyright CopyrightcAVASTSoftware */
condition:
uint16(0) == 0x5a4d and filesize < 200KB and all of them and not filename matches /aswArPot/i and not filename matches /avgArPot/i
}