Each driver entry below includes the following attributes:
Rule
- A unique name applied to a driver. Drivers listed below with a rule name starting withID_
are derived from the WDAC configuration.Rule Classification
- The type of abusable driver. The following rule classifications are currently supported:Exploitation of Vulnerable Driver
- A legitimate but vulnerable driver that is prone to abuse by an attackerDual-purpose Driver
- A legitimate driver that is designed as a "power tool" of sorts to facilitate directly modifying kernel data structures that can be used for both benign and malicious purposesMalicious Driver
- Known malicious, signed drivers
Known Abuse in the Wild
- Indicates if there is evidence of abuse in the wildCertificate Revoked
- Indicates if the related certificate was revokedRelevant File Attributes
- File attributes that may assist in building broader detection coverage or to facilitate variant hunting.Block Type
- For driver entries that originate from the Microsoft recommended driver block rules, this specifies a description of how Microsoft recommends blocking/auditing the respective drivers in a robust fashion. The following block types are listed below:Authenticode Hash
- It is recommended that the driver be blocked based on a hash of just the portions of a Portable Executable (PE) file that are considered for signature validation.OriginalFileName
- It is recommended that the driver be blocked solely on the OriginalFileName in the VERSIONINFO resource.Signer, OriginalFileName, and FileVersion (up to X.X.X.X)
- It is recommended that the driver be blocked based on its signer, OriginalFileName, and a specific range of vulnerable versions.Signer
- It is recommended that the driver be blocked based solely on its signer.
Sources
- A list of file hashes identified in VirusTotal that correspond to the driver at hand. It is recommended at a minimum to establish detection coverage for these files hashes. Note: these hashes were obtained at a snapshot in time and will not reflect the totality of all possible drivers that match the corresponding rule.References
- A list of relevant reference links that may offer more details and context about the abusable driver.
Exploitation of Vulnerable Driver
Yes
Yes
- Authenticode Hash:
7fd788358585e0b863328475898bb4400ed8d478466d1b7f5cc0252671456cc8
- Certificate Subject:
NAMCO BANDAI Online Inc.
- Certificate Thumbprint:
EFF833B56205ABF29B5E421DAF376B157DB3E43B
Authenticode Hash
Exploitation of Vulnerable Driver
Yes
Yes
- Authenticode Hash:
faa08cb609a5b7be6bfdb61f1e4a5e8adf2f5a1d2492f262483df7326934f5d4
- Certificate Subject:
CAPCOM Co.,Ltd.
,Xtreaming Technology Inc.
- Certificate Thumbprint:
AB0E343FD727DE4869897A9AB7CA64512B36D0E9
,09EDEDDCBDB0C03C850F1D29920E412348120C8D
Authenticode Hash
da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24
54488a8c7da53222f25b6ed74b0dedc55d00f5fa80f4eaf6daac28f7c3528876
33bdaf3ab141db0f4c6a2c1f9fb047b4e5c6fa6ddc709d905efdd24c2b43041c
ed122782215e93a010a9a1131390d702fd1a90426bc50e5ee94bda8d3ae9d0c9
18b12a09448244180344d7e5f8028a0ca53ca0f3bddfec06d00f995619c3fc0b
d9e8be11a19699903016f39f95c9c5bf1a39774ecea73670f2c3ed5385ebfe4c
6621fb2e761237d2b09863fd31951789697f119d118d2e5db0e957ab0173f06a
2b188ae51ec3be082e4d08f7483777ec5e66d30e393a4e9b5b9dc9af93d1f09b
c2562e0101cb39906c73b96fc15a6e6e3edd710b19858f6bbd0c90f1561b6038
db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004
- Capcom Rootkit Proof-Of-Concept
- https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys
Exploitation of Vulnerable Driver
No
No
- Authenticode Hash:
feef191064d18b6fb63b7299415d1b1e2ec8fcdd742854aa96268d0ec4a0f7b6
- Certificate Subject:
Intel(R) Processor Identification Utility
- Certificate Thumbprint:
711727858B25D3224B500998EA44BE8E2F113D12
- Expected Filename:
fiddrv64.sys
Authenticode Hash
- None
Exploitation of Vulnerable Driver
No
Yes
- Authenticode Hash:
7fb0f6fc5bdd22d53f8532cb19da666a77a66ffb1cf3919a2e22b66c13b415b7
- Certificate Subject:
Intel(R) Processor Identification Utility
- Certificate Thumbprint:
711727858B25D3224B500998EA44BE8E2F113D12
- Expected Filename:
fidpcidrv64.sys
Authenticode Hash
- None
Exploitation of Vulnerable Driver
Yes
Yes
- Certificate Subject:
Giga-Byte Technology
- Certificate Thumbprint:
32DAEE48AE406222C2BB92C4F1B7F516E537175A
- Expected Filename:
gdrv.sys
OriginalFileName
31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427
88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3
cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b
- Living off another land: Ransomware borrows vulnerable driver to remove security software
- Ransomware Exploits GIGABYTE Driver to Kill AV Processes
- Ransomware installs Gigabyte driver to kill antivirus products
- Kernel Driver Utility
Exploitation of Vulnerable Driver
Yes
No
- Authenticode Hash:
47dba240967fd0088be618163672dfbddf0138178cccd45b54037f622b221220
- Certificate Subject:
ASUSTeK Computer Inc.
- Certificate Thumbprint:
8B60E28D7D7873AD873E5FCFF01A5DCB5B999532
- Expected Filename:
GLCKIO2.sys
Authenticode Hash
- ASUS UEFI Update Driver Physical Memory Read/Write
- Kernel Driver Utility
- https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
Exploitation of Vulnerable Driver
No
No
- Authenticode Hash:
2ff09bb919a9909068166c30322c4e904befeba5429e9a11d011297fb8a73c07
- Certificate Subject:
GIGA-BYTE TECHNOLOGY CO., LTD.
- Certificate Thumbprint:
E31B1CE555B78944D20F160DF3BE831F1C638AE3
- Expected Filename:
gvcidrv64.sys
Authenticode Hash
Exploitation of Vulnerable Driver
No
Yes
- Authenticode Hash:
f2b51fbeead17f5ee34d5b4a3a83c848fb76f8f0e80769212e137a7aa539a3bc
- Certificate Subject:
Phoenix Technology Ltd.
- Certificate Thumbprint:
5266699008B6FC3F54660968977B75D17AA3F6F4
- Expected Filename:
WinFlash64.sys
Authenticode Hash
Exploitation of Vulnerable Driver
No
Yes
- Authenticode Hash:
038f39558035292f1d794b7cf49f8e751e8633daec31454fe85cccbea83ba3fb
- Certificate Subject:
NOVENTI Health SE
,American Megatrends, Inc.
- Certificate Thumbprint:
04958B5EA91966FE89DA99B8ED5E4EEC8BAFDC26
,5353050D0A9B1F5176F65958EF735FB631392D76
- Expected Filename:
amifldrv64.sys
Authenticode Hash
5e238d351e16d4909ca394f1db0326a60d33c9ac7b4d78aefcf17a6d9cc72be9
fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2
Exploitation of Vulnerable Driver
Yes
Yes
- Authenticode Hash:
7f75d91844b0c162eeb24d14bcf63b7f230e111daa7b0a26eaa489eeb22d9057
- Certificate Subject:
ASUSTeK Computer Inc.
- Certificate Thumbprint:
64BC9DAE5710C93A9ACFED82EE5DCE0A9BA8D1A8
- Expected Filename:
AsUpIO.sys
Authenticode Hash
Exploitation of Vulnerable Driver
No
No
- Authenticode Hash:
543c3f024e4affd0aafa3a229fa19dbe7a70972bb18ed6347d3492dd174edac5
- Certificate Subject:
BIOSTAR MICROTECH INT'L CORP
- Certificate Thumbprint:
577E8A329A09C735C7B187FE76D88A7974BB8834
- Expected Filename:
BS_Flash64.sys
Authenticode Hash
Exploitation of Vulnerable Driver
No
No
- Authenticode Hash:
3de51a3102db7297d96b4de5b60aca5f3a07e8577bbbed7f755f1de9a9c38e75
- Certificate Subject:
BIOSTAR MICROTECH INT'L CORP
- Certificate Thumbprint:
06B1B1EBE6C8DC35A68E8EAC0C318BEF0E97512F
- Expected Filename:
BS_HWMIo64.sys
Authenticode Hash
Exploitation of Vulnerable Driver
Yes
No
- Authenticode Hash:
7018d515a6c781ea6097ca71d0f0603ad0d689f7ec99db27fcacd492a9e86027
- Certificate Subject:
MICSYS Technology Co., Ltd.
- Certificate Thumbprint:
1F61F871318BDA41DE3BBF02F872FEA7587610F6
- Expected Filename:
MsIo64.sys
Authenticode Hash
Exploitation of Vulnerable Driver
No
No
- Authenticode Hash:
b97f870c501714fa453cf18ae8a30c87d08ff1e6d784afdbb0121aea3da2dc28
- Certificate Subject:
Microsoft Windows Hardware Compatibility Publisher
- Note: This doesn't not have a 3rd party vendor signature which is expected but not present. This particular certificate was generated forIntel Corporation
. - Certificate Thumbprint:
5FB840AB811BC4BAB5C3B996FB2CC426CCC99449
- Expected Filename:
piddrv64.sys
Authenticode Hash
Exploitation of Vulnerable Driver
No
Yes
- Authenticode Hash:
eb71a8ecef692e74ae356e8cb734029b233185ee5c2ccb6cc87cc6b36bea65cf
- Certificate Subject:
Intel(R) Code Signing External
,SEMA Software
- Certificate Thumbprint:
0ADDE92EAD607F6F00FBCAFC710FA218E9909DB5
,61FB826251C46EE836CA16363282378EAE097EA0
- Expected Filename:
semav6msr64.sys
Authenticode Hash
9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33
648994905b29b9c4a1074eef332bf6932b638bad62df020b5452c74e2b15d78f
Exploitation of Vulnerable Driver
Yes
No
- Certificate Subject:
CPUID
- Certificate Thumbprint:
A8C275B55048EA67CE8D40B520FC0E5BCDEEDB92
- Expected Filename:
cpuz.sys
Signer, OriginalFileName, and FileVersion (up to 1.0.4.3)
a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4
1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961
b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d
f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c
dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98
0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7
34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3
955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad
b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f
ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe
1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512
80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1
68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248
8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775
2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e
26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43
ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d
deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578
6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63
368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1
bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa
8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2
1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c
eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd
a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c
600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0
572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4
ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4
c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547
b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5
5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe
636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220
e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90
e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b
8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126
40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59
df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15
b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44
405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1
da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb
11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768
4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba
9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c
c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa
6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388
b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b
ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498
2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486
0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02
73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a
d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8
78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663
6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097
3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5
592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c
45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26
019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f
b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c
3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486
aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399
8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6
900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88
11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b
0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f
b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a
f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686
19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758
771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c
8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f
ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33
bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091
c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26
f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585
2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22
65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d
523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba
be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7
c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e
a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e
2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e
8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881
3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf
53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6
69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce
49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668
fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70
2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e
60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289
84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51
d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6
e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc
65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377
922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832
67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc
8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c
c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0
79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd
3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3
Exploitation of Vulnerable Driver
Yes
Yes
- Certificate Subject:
Elaborate Bytes AG
- Certificate Thumbprint:
76D30AA78F72FC5C7085C635F99EEA7DDD5C3CA3
- Expected Filename:
ElbyCDIO.sys
Signer, OriginalFileName, and FileVersion (up to 6.0.3.2)
238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4
16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1
3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb
8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60
f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad
1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441
b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890
033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7
7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6
7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0
fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17
9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340
eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b
d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e
ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47
828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2
7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96
b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027
- CloneCD/DVD 'ElbyCDIO.sys' < 6.0.3.2 - Local Privilege Escalation
- Slingshot Malware Uses IoT Device in Targeted Attacks
- The Slingshot APT
- Equation Group: Questions and Answers
Exploitation of Vulnerable Driver
Yes
Yes
- Certificate Subject:
Novell, Inc.
- Certificate Thumbprint:
FC641C2C18684C959C575078F8D3A0C887772FC9
- Expected Filename:
libnicm.sys
Signer, OriginalFileName, and FileVersion (up to 3.1.12.0)
e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790
66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796
c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a
3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458
4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4
dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b
87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5
72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35
8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750
d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4
66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e
7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0
00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922
b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e
e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21
834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78
0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49
f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229
6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259
d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee
- Novell Client 2 SP3 - 'nicm.sys' Local Privilege Escalation (Metasploit)
- CVE-2013-3956
- Windows Driver Signing Bypass by Derubsi
Exploitation of Vulnerable Driver
Yes
Yes
- Certificate Subject:
Novell, Inc.
- Certificate Thumbprint:
4D8494B2925253999601FB1C749AFE098593B7FD
- Expected Filename:
nicm.sys
Signer, OriginalFileName, and FileVersion (up to 3.1.12.0)
e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717
6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44
7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25
c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746
94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915
dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d
4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4
a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00
6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7
00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd
18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7
8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7
3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928
ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613
84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451
1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b
e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f
1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7
76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb
6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d
904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a
- Novell Client 2 SP3 - 'nicm.sys' Local Privilege Escalation (Metasploit)
- CVE-2013-3956
- Windows Driver Signing Bypass by Derubsi
Exploitation of Vulnerable Driver
Yes
Yes
- Certificate Subject:
Novell, Inc.
- Certificate Thumbprint:
FC641C2C18684C959C575078F8D3A0C887772FC9
- Expected Filename:
nscm.sys
Signer, OriginalFileName, and FileVersion (up to 3.1.12.0)
76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22
653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d
ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d
1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd
a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53
a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6
49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94
14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c
f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e
c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1
202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213
e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe
003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4
b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763
5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa
f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65
0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2
53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b
e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce
41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f
ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2
- Novell Client 2 SP3 - 'nicm.sys' Local Privilege Escalation (Metasploit)
- CVE-2013-3956
- Windows Driver Signing Bypass by Derubsi
Exploitation of Vulnerable Driver
No
No
- Authenticode Hash:
da8945bd5c693c0593c9d0e3bda49bb1c6007cb25643c95708c6b10bef7c136a
- Certificate Subject:
Mitac Technology Corporation
- Certificate Thumbprint:
805E6E5FC40F9AC8CA15873A8FB7D79FA8B56DA1
- Expected Filename:
mtcBSv64.sys
Signer, OriginalFileName, and FileVersion (up to 21.2.0.0)
No VT hits for an OriginalFileName of sandra.sys
were found. The following hashes represent matches for SANDRA
. Either VT doesn't have any sandra.sys
or the rule is mistaken (more likely).
Exploitation of Vulnerable Driver
Yes
Yes
- Certificate Subject:
SiSoftware Ltd
- Certificate Thumbprint:
CFAE1C952AA870C317D9D93DA857866D01EABB8A
- Expected Filename:
sandra.sys
Signer, OriginalFileName, and FileVersion (up to 10.12.0.0)
1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b
0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502
cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183
d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3
1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590
- Sandra exploited by Slingshot rootkit
- Slingshot Malware Uses IoT Device in Targeted Attacks
- The Slingshot APT
Exploitation of Vulnerable Driver
Yes
No
- Certificate Subject:
Realtek Semiconductor Corp
- Certificate Thumbprint:
0AE98618A1E26E64C5F2155B7C154B4C7864D4BD
- Expected Filename:
rtkio64.sys
Signer, OriginalFileName, and FileVersion (all versions)
4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7
7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129
3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1
074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761
442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c
db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7
8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c
a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af
- Kernel Driver Utility
- Realtek rtkio64 Windows driver privilege escalation
- https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
Exploitation of Vulnerable Driver
Yes
No
- Certificate Subject:
Realtek Semiconductor Corp.
- Certificate Thumbprint:
37A0BACB152A547382195095AB33601929877364
,A92732C50BFE429E49FCE2D69D1184B6CA111AB6
- Expected Filename:
rtkiow10x64.sys
Signer, OriginalFileName, and FileVersion (all versions)
ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89
32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993
- Kernel Driver Utility
- Realtek rtkio64 Windows driver privilege escalation
- https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
Exploitation of Vulnerable Driver
Yes
No
- Certificate Subject:
Realtek Semiconductor Corp.
- Certificate Thumbprint:
37A0BACB152A547382195095AB33601929877364
,A92732C50BFE429E49FCE2D69D1184B6CA111AB6
- Expected Filename:
rtkiow8x64.sys
Signer, OriginalFileName, and FileVersion (all versions)
b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038
082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d
- Kernel Driver Utility
- Realtek rtkio64 Windows driver privilege escalation
- https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
Exploitation of Vulnerable Driver
No
No
- Certificate Subject:
BIOSTAR MICROTECH INT'L CORP
- Certificate Thumbprint:
7B291F6E5B3DC1F097CEB6672372F8232A4F58A4
- Expected Filename:
BSMI.sys
Signer, OriginalFileName, and FileVersion (up to 1.0.0.3)
59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347
552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9
Exploitation of Vulnerable Driver
No
No
- Authenticode Hash:
c3fa4872fd2c286904a0cf37a392ef89fb6ba2a84fc9e1b66c70e0cb5ae28efa
- Certificate Subject:
Microsoft Windows Hardware Compatibility Publisher
- Note: This doesn't not have a 3rd party vendor signature which is expected but not present. This particular certificate was generated forBIOSTAR MICROTECH INT'L CORP
. - Certificate Thumbprint:
6B3FFBCEF7BF128399AA034FE355D967E6780F5E
- Expected Filename:
BS_HWMIO64_W10.sys
Signer, OriginalFileName, and FileVersion (up to 10.0.1806.2200)
Exploitation of Vulnerable Driver
No
No
- Certificate Subject:
BIOSTAR MICROTECH INT'L CORP
- Certificate Thumbprint:
7B291F6E5B3DC1F097CEB6672372F8232A4F58A4
- Expected Filename:
BS_I2cIo.sys
Signer, OriginalFileName, and FileVersion (up to 1.1.0.0)
f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65
42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb
55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a
Exploitation of Vulnerable Driver
Yes
Yes
- Certificate Subject:
Micro-Star Int'l Co. Ltd.
- Certificate Thumbprint:
BCDB94A96B793E5DB6D8A787A2523C7E9DC0678C
- Expected Filename:
NTIOLib.sys
Signer, OriginalFileName, and FileVersion (up to 1.0.0.0)
d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530
50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793
79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57
6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4
99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1
89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be
fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03
9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449
b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d
a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499
Exploitation of Vulnerable Driver
No
No
- Certificate Subject:
TOSHIBA CORPORATION
- Certificate Thumbprint:
F9B188589F62D41A26D358861C66A52F1ABC6BE8
,F081ED769CCC746128FDC96F788DB6638534AF3E
- Expected Filename:
NCHGBIOS2x64.SYS
Signer, OriginalFileName, and FileVersion (up to 4.2.4.0)
314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073
7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8
Exploitation of Vulnerable Driver
Yes
No
- Certificate Subject:
Insyde Software Corp.
- Certificate Thumbprint:
05672CEF251C05574F909D97435AF41089DE57D9
- Expected Filename:
segwindrvx64.sys
Signer, OriginalFileName, and FileVersion (up to 100.0.7.2)
b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c
65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd
c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2
38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8
7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5
0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75
0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec
- Program:Win32/VulnInsydeDriver.A
- https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
Malicious Driver
Yes
No
- Certificate Subject:
Benjamin Delpy
- Certificate Thumbprint:
AB9E92B943ED47D915BC26939E24A58303ACAA7E
- Expected Filename:
mimidrv.sys
Signer
4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919
c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231
d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96
d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f
ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0
41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f
d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c
d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be
443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85
2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304
0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550
b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719
07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0
083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254
94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601
4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905
12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0
793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875
06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8
efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576
cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37
4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f
10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b
a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778
85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2
1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524
ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55
3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1
569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa
19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987
082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a
e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59
bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908
93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe
2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4
aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e
a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852
f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1
0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06
95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167
e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f
c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da
a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2
f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5
492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263
ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a
7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db
618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb
4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de
9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac
80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3
d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff
a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640
a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7
1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80
200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a
9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392
008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25
36f45a42ebf2de6962db92aaf8845d7f9fd6895bedc31422adcf31c59a79602d
e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15
4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1
a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec
47356707e610cfd0be97595fbe55246b96a69141e1da579e6f662ddda6dc5280
02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715
a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972
406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9
b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c
704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4
3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6
1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6
2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2
8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434
31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6
c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c
26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55
07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af
f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad
4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021
60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9
e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19
14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925
9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7
6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b
083a311875173f8c4653e9bbbabb689d14aa86b852e7fa9f5512fc60e0fd2c43
dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1
0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35
087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212
82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2
8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b
af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895
0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597
822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb
4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7
f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac
29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe
7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d
ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd
0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39
64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96
c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c
5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968
a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f
6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7
52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd
a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66
28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553
7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28
2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21
b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4
0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3
673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653
deade507504d385d8cae11365a2ac9b5e2773ff9b61624d75ffa882d6bb28952
b7956e31c2fcc0a84bcedf30e5f8115f4e74eed58916253a0c05c8be47283c57
62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920
773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894
36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475
c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e
82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7
208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85
26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47
b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a
4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b
af7ca247bf229950fb48674b21712761ac650d33f13a4dca44f61c59f4c9ac46
62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266
accb1a6604efb1b3ce9345c9fd62fe717a84c3e089e09c638e461df89193ef01
627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa
69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f
8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38
15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c
d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad
51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93
c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12
4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be
c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc
2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8
eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a
bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0
469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870
ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a
e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8
897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736
818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab
94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112
baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3
b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03
bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd
30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2
c13f5bc4edfbe8f1884320c5d76ca129d00de41a1e61d45195738f125dfe60a7
ece76b79feafb38ae4371e104b6dcbb4253ff3b2acbe5bd14ce6e47525c24f4a
be70be9d84ae14ea1fa5ec68e2a61f6acfe576d965fe51c6bac78fba01a744fb
e5ddfa39540d4e7ada56cdc1ebd2eb8c85a408ec078337488a81d1c3f2aaa4ff
3033ff03e6f523726638b43d954bc666cdd26483fa5abcf98307952ff88f80ee
Malicious Driver
Yes
No
- Certificate Subject:
Open Source Developer, Benjamin Delpy
- Certificate Thumbprint:
9431A67881C152112500E1BC89D4D37FD808DD71
- Expected Filename:
mimidrv.sys
Signer
2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878
fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2
aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9
40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a
8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe
beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b
21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a
b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09
Exploitation of Vulnerable Driver
Yes
No
- Certificate Subject:
Sokno S.R.L.
- Certificate Thumbprint:
463E556B74FF56471F915D9C248B169DBC38EF34
- Expected Filename:
speedfan.sys
Signer
f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560
0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e
965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb
22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c
ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b
1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb
88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af
- SpeedFan - 'Speedfan.sys' Local Privilege Escalation
- CVE-2007-5633
- Slingshot Malware Uses IoT Device in Targeted Attacks
- The Slingshot APT
- Equation Group: Questions and Answers
Dual-purpose Driver
Yes
No
- Certificate Subject:
ChongKim Chan
- Certificate Thumbprint:
B6B53D538E235AAA987D75C52F73892C1CA4F9F2
- Expected Filename:
RwDrv.sys
Signer
d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4
d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d
ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3
bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042
83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c
- RWEverything - Read & Write Everything
- TrickBot's new 'TrickBoot' module infects your UEFI firmware
- Rapid Response: TrickBoot
Exploitation of Vulnerable Driver
Yes
Yes
- Certificate Subject:
innotek GmbH
- Certificate Thumbprint:
32FAADEEBFF379AB63DE10B8636A9A9368743254
- Expected Filename:
VBoxDrv.sys
Signer
cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986
b50b11e2203942695380869c6072e15479290bc57da2ec5df3481a36b8a8561e
775000c4083c8e4dcfc879d83fcd27b40b46820c9834ae4662861386a4d81fe9
d44848d3e845f8293974e8b621b72a61ec00c8d3cf95fcf41698bbbd4bdf5565
bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec
d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055
9a4e75da4609d08e1338c383727f5bb27accb13e8b491d1c22d7f21f4ddf91e5
3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40
d998ea6d0051e17c1387c9f295b1c79bacb2f61c23809903445f60313d36c7fd
cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783
8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145
5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291
73fddd441a764e808ed6d6b8f3d0d13713e61221aa3cfef7da91cdaf112fe061
c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa
983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd
994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4
- Uroburos – Deeper travel into kernel protection mitigation
- VirtualBox Privilege Escalation Vulnerability
- CVE-2008-3431
- Anatomy of Turla exploits
- Bring Your Own Vulnerable Kernel Driver
Malicious Driver
Yes
No
- Certificate Subject:
Microsoft Windows Hardware Compatibility Publisher
- Certificate Thumbprint:
38B7C74E37392713E436E19A2BE053100115DA88
Note: This doesn't not have a 3rd party vendor signature which is expected but not present. This particular certificate was generated forGlobalsign 中国
. - Expected Filename:
netfilterdrv.sys
Authenticode Hash
6a6db5febdaf3f1577bf97c6e1e24913e6c78b134062c02fd1f9875099c03a3f
3700b38d63d426ff0a985226b45eca6e24d052f4262d12aff529e62c2cb889c3
8249e9c0ac0840a36d9a5b9ff3e217198a2f533159acd4bf3d9b0132cc079870
63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0
e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37
1aa8ba45f9524847e2a36c0dc6fd80162923e88dc1be217dde2fb5894c65ff43
f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca
d60fdabaf5a0ab375361d2ed1a9b39832bdb8bd33466d6c43d42a48ba2ffd274
115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406
70b63dfc3ed2b89a4eb8a0aa6c26885f460e5686d21c9d32413df0cdc5f962c7