Skip to content

Instantly share code, notes, and snippets.

@mgraeber-rc
Last active September 10, 2024 15:38
Show Gist options
  • Save mgraeber-rc/1bde6a2a83237f17b463d051d32e802c to your computer and use it in GitHub Desktop.
Save mgraeber-rc/1bde6a2a83237f17b463d051d32e802c to your computer and use it in GitHub Desktop.
A contextualized addendum to Microsoft's recommended driver block rules

Each driver entry below includes the following attributes:

  • Rule - A unique name applied to a driver. Drivers listed below with a rule name starting with ID_ are derived from the WDAC configuration.
  • Rule Classification - The type of abusable driver. The following rule classifications are currently supported:
    1. Exploitation of Vulnerable Driver - A legitimate but vulnerable driver that is prone to abuse by an attacker
    2. Dual-purpose Driver - A legitimate driver that is designed as a "power tool" of sorts to facilitate directly modifying kernel data structures that can be used for both benign and malicious purposes
    3. Malicious Driver - Known malicious, signed drivers
  • Known Abuse in the Wild - Indicates if there is evidence of abuse in the wild
  • Certificate Revoked - Indicates if the related certificate was revoked
  • Relevant File Attributes - File attributes that may assist in building broader detection coverage or to facilitate variant hunting.
  • Block Type - For driver entries that originate from the Microsoft recommended driver block rules, this specifies a description of how Microsoft recommends blocking/auditing the respective drivers in a robust fashion. The following block types are listed below:
    1. Authenticode Hash - It is recommended that the driver be blocked based on a hash of just the portions of a Portable Executable (PE) file that are considered for signature validation.
    2. OriginalFileName - It is recommended that the driver be blocked solely on the OriginalFileName in the VERSIONINFO resource.
    3. Signer, OriginalFileName, and FileVersion (up to X.X.X.X) - It is recommended that the driver be blocked based on its signer, OriginalFileName, and a specific range of vulnerable versions.
    4. Signer - It is recommended that the driver be blocked based solely on its signer.
  • Sources - A list of file hashes identified in VirusTotal that correspond to the driver at hand. It is recommended at a minimum to establish detection coverage for these files hashes. Note: these hashes were obtained at a snapshot in time and will not reflect the totality of all possible drivers that match the corresponding rule.
  • References - A list of relevant reference links that may offer more details and context about the abusable driver.

Rule: ID_DENY_BANDAI_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

Block Type

Authenticode Hash

Sources

References


Rule: ID_DENY_CAPCOM_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

Block Type

Authenticode Hash

Sources

References


Rule: ID_DENY_FIDDRV64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

Block Type

Authenticode Hash

Sources

References

  • None

Rule: ID_DENY_FIDPCIDRV64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

Yes

Relevant File Attributes

Block Type

Authenticode Hash

Sources

References

  • None

Rule: ID_DENY_GDRV

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

Block Type

OriginalFileName

Sources

References


Rule: ID_DENY_GLCKIO2_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

Block Type

Authenticode Hash

Sources

References


Rule: ID_DENY_GVCIDRV64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

Block Type

Authenticode Hash

Sources

References


Rule: ID_DENY_WINFLASH64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

Yes

Relevant File Attributes

Block Type

Authenticode Hash

Sources

References


Rule: ID_DENY_AMIFLDRV64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

Yes

Relevant File Attributes

Block Type

Authenticode Hash

Sources

References


Rule: ID_DENY_ASUPIO64*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

Block Type

Authenticode Hash

Sources

References


Rule: ID_DENY_BSFLASH64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

Block Type

Authenticode Hash

Sources

References


Rule: ID_DENY_BSHWMIO64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

Block Type

Authenticode Hash

Sources

References


Rule: ID_DENY_MSIO64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

Block Type

Authenticode Hash

Sources

References


Rule: ID_DENY_PIDDRV64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

Block Type

Authenticode Hash

Sources

References


Rule: ID_DENY_SEMAV6MSR64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

Yes

Relevant File Attributes

Block Type

Authenticode Hash

Sources

References


Rule: ID_FILEATTRIB_CPUZ_DRIVER

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

Block Type

Signer, OriginalFileName, and FileVersion (up to 1.0.4.3)

Sources

References


Rule: ID_FILEATTRIB_ELBY_DRIVER

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

Block Type

Signer, OriginalFileName, and FileVersion (up to 6.0.3.2)

Sources

References


Rule: ID_FILEATTRIB_LIBNICM_DRIVER

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

Block Type

Signer, OriginalFileName, and FileVersion (up to 3.1.12.0)

Sources

References


Rule: ID_FILEATTRIB_NICM_DRIVER

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

Block Type

Signer, OriginalFileName, and FileVersion (up to 3.1.12.0)

Sources

References


Rule: ID_FILEATTRIB_NSCM_DRIVER

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

Block Type

Signer, OriginalFileName, and FileVersion (up to 3.1.12.0)

Sources

References


Rule: ID_FILEATTRIB_MTCBSV64

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

Block Type

Signer, OriginalFileName, and FileVersion (up to 21.2.0.0)

Sources

References


Rule: ID_FILEATTRIB_SANDRA_DRIVER

No VT hits for an OriginalFileName of sandra.sys were found. The following hashes represent matches for SANDRA. Either VT doesn't have any sandra.sys or the rule is mistaken (more likely).

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

Block Type

Signer, OriginalFileName, and FileVersion (up to 10.12.0.0)

Sources

References


Rule: ID_FILEATTRIB_RTKIO64_DRIVER

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

Block Type

Signer, OriginalFileName, and FileVersion (all versions)

Sources

References


Rule: ID_FILEATTRIB_RTKIOW10X64_DRIVER

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

Block Type

Signer, OriginalFileName, and FileVersion (all versions)

Sources

References


Rule: ID_FILEATTRIB_RTKIOW8X64_DRIVER

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

Block Type

Signer, OriginalFileName, and FileVersion (all versions)

Sources

References


Rule: ID_FILEATTRIB_BSMI

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

Block Type

Signer, OriginalFileName, and FileVersion (up to 1.0.0.3)

Sources

References


Rule: ID_FILEATTRIB_BS_HWMIO64

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

Block Type

Signer, OriginalFileName, and FileVersion (up to 10.0.1806.2200)

Sources

References


Rule: ID_FILEATTRIB_BS_I2CIO

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

Block Type

Signer, OriginalFileName, and FileVersion (up to 1.1.0.0)

Sources

References


Rule: ID_FILEATTRIB_NTIOLIB

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

Block Type

Signer, OriginalFileName, and FileVersion (up to 1.0.0.0)

Sources

References


Rule: ID_FILEATTRIB_NCHGBIOS2X64

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

Block Type

Signer, OriginalFileName, and FileVersion (up to 4.2.4.0)

Sources

References


Rule: ID_FILEATTRIB_SEGWINDRVX64

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

Block Type

Signer, OriginalFileName, and FileVersion (up to 100.0.7.2)

Sources

References


Rule: ID_SIGNER_MIMIKATZ_KERNEL

Rule Classification

Malicious Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

Block Type

Signer

Sources

References


Rule: ID_SIGNER_MIMIKATZ_USER

Rule Classification

Malicious Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

Block Type

Signer

Sources

References


Rule: ID_SIGNER_SPEEDFAN

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

Block Type

Signer

Sources

References


Rule: ID_SIGNER_RWEVERY

Rule Classification

Dual-purpose Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

Block Type

Signer

Sources

References


Rule: ID_SIGNER_VBOX

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

Block Type

Signer

Sources

References


Rule: ID_DENY_RETLIFTEN_*

Rule Classification

Malicious Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

Block Type

Authenticode Hash

Sources

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment