A contextualized addendum to Microsoft's recommended driver block rules

DriverBlockRuleReference.md

Each driver entry below includes the following attributes:

• Rule - A unique name applied to a driver. Drivers listed below with a rule name starting with ID_ are derived from the WDAC configuration.
• Rule Classification - The type of abusable driver. The following rule classifications are currently supported:
  1. Exploitation of Vulnerable Driver - A legitimate but vulnerable driver that is prone to abuse by an attacker
  2. Dual-purpose Driver - A legitimate driver that is designed as a "power tool" of sorts to facilitate directly modifying kernel data structures that can be used for both benign and malicious purposes
  3. Malicious Driver - Known malicious, signed drivers
• Known Abuse in the Wild - Indicates if there is evidence of abuse in the wild
• Certificate Revoked - Indicates if the related certificate was revoked
• Relevant File Attributes - File attributes that may assist in building broader detection coverage or to facilitate variant hunting.
• Block Type - For driver entries that originate from the Microsoft recommended driver block rules, this specifies a description of how Microsoft recommends blocking/auditing the respective drivers in a robust fashion. The following block types are listed below:
  1. Authenticode Hash - It is recommended that the driver be blocked based on a hash of just the portions of a Portable Executable (PE) file that are considered for signature validation.
  2. OriginalFileName - It is recommended that the driver be blocked solely on the OriginalFileName in the VERSIONINFO resource.
  3. Signer, OriginalFileName, and FileVersion (up to X.X.X.X) - It is recommended that the driver be blocked based on its signer, OriginalFileName, and a specific range of vulnerable versions.
  4. Signer - It is recommended that the driver be blocked based solely on its signer.
• Sources - A list of file hashes identified in VirusTotal that correspond to the driver at hand. It is recommended at a minimum to establish detection coverage for these files hashes. Note: these hashes were obtained at a snapshot in time and will not reflect the totality of all possible drivers that match the corresponding rule.
• References - A list of relevant reference links that may offer more details and context about the abusable driver.

---

Rule: ID_DENY_BANDAI_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

• Authenticode Hash: 7fd788358585e0b863328475898bb4400ed8d478466d1b7f5cc0252671456cc8
• Certificate Subject: NAMCO BANDAI Online Inc.
• Certificate Thumbprint: EFF833B56205ABF29B5E421DAF376B157DB3E43B

Block Type

Authenticode Hash

Sources

• 7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d

References

• https://twitter.com/zerosum0x0/status/963105295265353729
• A vulnerable driver: lesson almost learned

---

Rule: ID_DENY_CAPCOM_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

• Authenticode Hash: faa08cb609a5b7be6bfdb61f1e4a5e8adf2f5a1d2492f262483df7326934f5d4
• Certificate Subject: CAPCOM Co.,Ltd., Xtreaming Technology Inc.
• Certificate Thumbprint: AB0E343FD727DE4869897A9AB7CA64512B36D0E9, 09EDEDDCBDB0C03C850F1D29920E412348120C8D

Block Type

Authenticode Hash

Sources

• da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24
• 54488a8c7da53222f25b6ed74b0dedc55d00f5fa80f4eaf6daac28f7c3528876
• 33bdaf3ab141db0f4c6a2c1f9fb047b4e5c6fa6ddc709d905efdd24c2b43041c
• ed122782215e93a010a9a1131390d702fd1a90426bc50e5ee94bda8d3ae9d0c9
• 18b12a09448244180344d7e5f8028a0ca53ca0f3bddfec06d00f995619c3fc0b
• d9e8be11a19699903016f39f95c9c5bf1a39774ecea73670f2c3ed5385ebfe4c
• 6621fb2e761237d2b09863fd31951789697f119d118d2e5db0e957ab0173f06a
• 2b188ae51ec3be082e4d08f7483777ec5e66d30e393a4e9b5b9dc9af93d1f09b
• c2562e0101cb39906c73b96fc15a6e6e3edd710b19858f6bbd0c90f1561b6038
• db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004

References

• Capcom Rootkit Proof-Of-Concept
• https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys

---

Rule: ID_DENY_FIDDRV64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

• Authenticode Hash: feef191064d18b6fb63b7299415d1b1e2ec8fcdd742854aa96268d0ec4a0f7b6
• Certificate Subject: Intel(R) Processor Identification Utility
• Certificate Thumbprint: 711727858B25D3224B500998EA44BE8E2F113D12
• Expected Filename: fiddrv64.sys

Block Type

Authenticode Hash

Sources

• 4bf4cced4209c73aa37a9e2bf9ff27d458d8d7201eefa6f6ad4849ee276ad158

References

• None

---

Rule: ID_DENY_FIDPCIDRV64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

Yes

Relevant File Attributes

• Authenticode Hash: 7fb0f6fc5bdd22d53f8532cb19da666a77a66ffb1cf3919a2e22b66c13b415b7
• Certificate Subject: Intel(R) Processor Identification Utility
• Certificate Thumbprint: 711727858B25D3224B500998EA44BE8E2F113D12
• Expected Filename: fidpcidrv64.sys

Block Type

Authenticode Hash

Sources

• 3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46

References

• None

---

Rule: ID_DENY_GDRV

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

• Certificate Subject: Giga-Byte Technology
• Certificate Thumbprint: 32DAEE48AE406222C2BB92C4F1B7F516E537175A
• Expected Filename: gdrv.sys

Block Type

OriginalFileName

Sources

• 31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427
• 88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3
• cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b

References

• Living off another land: Ransomware borrows vulnerable driver to remove security software
• Ransomware Exploits GIGABYTE Driver to Kill AV Processes
• Ransomware installs Gigabyte driver to kill antivirus products
• Kernel Driver Utility

---

Rule: ID_DENY_GLCKIO2_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

• Authenticode Hash: 47dba240967fd0088be618163672dfbddf0138178cccd45b54037f622b221220
• Certificate Subject: ASUSTeK Computer Inc.
• Certificate Thumbprint: 8B60E28D7D7873AD873E5FCFF01A5DCB5B999532
• Expected Filename: GLCKIO2.sys

Block Type

Authenticode Hash

Sources

• 61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0

References

• ASUS UEFI Update Driver Physical Memory Read/Write
• Kernel Driver Utility
• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_DENY_GVCIDRV64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

• Authenticode Hash: 2ff09bb919a9909068166c30322c4e904befeba5429e9a11d011297fb8a73c07
• Certificate Subject: GIGA-BYTE TECHNOLOGY CO., LTD.
• Certificate Thumbprint: E31B1CE555B78944D20F160DF3BE831F1C638AE3
• Expected Filename: gvcidrv64.sys

Block Type

Authenticode Hash

Sources

• 42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f

References

• GIGABYTE Drivers Elevation of Privilege Vulnerabilities

---

Rule: ID_DENY_WINFLASH64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

Yes

Relevant File Attributes

• Authenticode Hash: f2b51fbeead17f5ee34d5b4a3a83c848fb76f8f0e80769212e137a7aa539a3bc
• Certificate Subject: Phoenix Technology Ltd.
• Certificate Thumbprint: 5266699008B6FC3F54660968977B75D17AA3F6F4
• Expected Filename: WinFlash64.sys

Block Type

Authenticode Hash

Sources

• 677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf

References

• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_DENY_AMIFLDRV64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

Yes

Relevant File Attributes

• Authenticode Hash: 038f39558035292f1d794b7cf49f8e751e8633daec31454fe85cccbea83ba3fb
• Certificate Subject: NOVENTI Health SE, American Megatrends, Inc.
• Certificate Thumbprint: 04958B5EA91966FE89DA99B8ED5E4EEC8BAFDC26, 5353050D0A9B1F5176F65958EF735FB631392D76
• Expected Filename: amifldrv64.sys

Block Type

Authenticode Hash

Sources

• 5e238d351e16d4909ca394f1db0326a60d33c9ac7b4d78aefcf17a6d9cc72be9
• fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2

References

• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_DENY_ASUPIO64*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

• Authenticode Hash: 7f75d91844b0c162eeb24d14bcf63b7f230e111daa7b0a26eaa489eeb22d9057
• Certificate Subject: ASUSTeK Computer Inc.
• Certificate Thumbprint: 64BC9DAE5710C93A9ACFED82EE5DCE0A9BA8D1A8
• Expected Filename: AsUpIO.sys

Block Type

Authenticode Hash

Sources

• b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602

References

• ASUS UEFI Update Driver Physical Memory Read/Write

---

Rule: ID_DENY_BSFLASH64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

• Authenticode Hash: 543c3f024e4affd0aafa3a229fa19dbe7a70972bb18ed6347d3492dd174edac5
• Certificate Subject: BIOSTAR MICROTECH INT'L CORP
• Certificate Thumbprint: 577E8A329A09C735C7B187FE76D88A7974BB8834
• Expected Filename: BS_Flash64.sys

Block Type

Authenticode Hash

Sources

• 86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219

References

• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_DENY_BSHWMIO64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

• Authenticode Hash: 3de51a3102db7297d96b4de5b60aca5f3a07e8577bbbed7f755f1de9a9c38e75
• Certificate Subject: BIOSTAR MICROTECH INT'L CORP
• Certificate Thumbprint: 06B1B1EBE6C8DC35A68E8EAC0C318BEF0E97512F
• Expected Filename: BS_HWMIo64.sys

Block Type

Authenticode Hash

Sources

• 60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813

References

• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_DENY_MSIO64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

• Authenticode Hash: 7018d515a6c781ea6097ca71d0f0603ad0d689f7ec99db27fcacd492a9e86027
• Certificate Subject: MICSYS Technology Co., Ltd.
• Certificate Thumbprint: 1F61F871318BDA41DE3BBF02F872FEA7587610F6
• Expected Filename: MsIo64.sys

Block Type

Authenticode Hash

Sources

• 525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd

References

• rewolf-msi-exploit
• Kernel Driver Utility

---

Rule: ID_DENY_PIDDRV64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

• Authenticode Hash: b97f870c501714fa453cf18ae8a30c87d08ff1e6d784afdbb0121aea3da2dc28
• Certificate Subject: Microsoft Windows Hardware Compatibility Publisher - Note: This doesn't not have a 3rd party vendor signature which is expected but not present. This particular certificate was generated for Intel Corporation.
• Certificate Thumbprint: 5FB840AB811BC4BAB5C3B996FB2CC426CCC99449
• Expected Filename: piddrv64.sys

Block Type

Authenticode Hash

Sources

• b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29

References

• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_DENY_SEMAV6MSR64_*

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

Yes

Relevant File Attributes

• Authenticode Hash: eb71a8ecef692e74ae356e8cb734029b233185ee5c2ccb6cc87cc6b36bea65cf
• Certificate Subject: Intel(R) Code Signing External, SEMA Software
• Certificate Thumbprint: 0ADDE92EAD607F6F00FBCAFC710FA218E9909DB5, 61FB826251C46EE836CA16363282378EAE097EA0
• Expected Filename: semav6msr64.sys

Block Type

Authenticode Hash

Sources

• 9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33
• 648994905b29b9c4a1074eef332bf6932b638bad62df020b5452c74e2b15d78f

References

• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_FILEATTRIB_CPUZ_DRIVER

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

• Certificate Subject: CPUID
• Certificate Thumbprint: A8C275B55048EA67CE8D40B520FC0E5BCDEEDB92
• Expected Filename: cpuz.sys

Block Type

Signer, OriginalFileName, and FileVersion (up to 1.0.4.3)

Sources

• a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4
• 1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961
• b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d
• f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c
• dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98
• 0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7
• 34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3
• 955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad
• b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f
• ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe
• 1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512
• 80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1
• 68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248
• 8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775
• 2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e
• 26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43
• ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d
• deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578
• 6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63
• 368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1
• bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa
• 8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2
• 1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c
• eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd
• a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c
• 600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0
• 572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4
• ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4
• c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547
• b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5
• 5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe
• 636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220
• e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90
• e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b
• 8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126
• 40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59
• df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15
• b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44
• 405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1
• da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb
• 11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768
• 4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba
• 9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c
• c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa
• 6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388
• b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b
• ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498
• 2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486
• 0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02
• 73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a
• d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8
• 78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663
• 6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097
• 3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5
• 592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c
• 45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26
• 019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f
• b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c
• 3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486
• aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399
• 8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6
• 900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88
• 11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b
• 0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f
• b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a
• f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686
• 19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758
• 771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c
• 8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f
• ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33
• bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091
• c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26
• f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585
• 2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22
• 65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d
• 523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba
• be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7
• c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e
• a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e
• 2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e
• 8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881
• 3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf
• 53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6
• 69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce
• 49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668
• fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70
• 2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e
• 60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289
• 84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51
• d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6
• e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc
• 65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377
• 922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832
• 67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc
• 8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c
• c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0
• 79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd
• 3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3

References

• CPU-Z Exploit (CVE-2017-15302 & CVE-2017-15303)
• CPUZ-DSEFix
• CVE-2017-15302

---

Rule: ID_FILEATTRIB_ELBY_DRIVER

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

• Certificate Subject: Elaborate Bytes AG
• Certificate Thumbprint: 76D30AA78F72FC5C7085C635F99EEA7DDD5C3CA3
• Expected Filename: ElbyCDIO.sys

Block Type

Signer, OriginalFileName, and FileVersion (up to 6.0.3.2)

Sources

• 238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4
• 16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1
• 3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb
• 8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60
• f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad
• 1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441
• b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890
• 033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7
• 7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6
• 7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0
• fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17
• 9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340
• eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b
• d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e
• ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47
• 828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2
• 7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96
• b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027

References

• CloneCD/DVD 'ElbyCDIO.sys' < 6.0.3.2 - Local Privilege Escalation
• Slingshot Malware Uses IoT Device in Targeted Attacks
• The Slingshot APT
• Equation Group: Questions and Answers

---

Rule: ID_FILEATTRIB_LIBNICM_DRIVER

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

• Certificate Subject: Novell, Inc.
• Certificate Thumbprint: FC641C2C18684C959C575078F8D3A0C887772FC9
• Expected Filename: libnicm.sys

Block Type

Signer, OriginalFileName, and FileVersion (up to 3.1.12.0)

Sources

• e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790
• 66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796
• c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a
• 3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458
• 4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4
• dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b
• 87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5
• 72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35
• 8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750
• d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4
• 66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e
• 7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0
• 00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922
• b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e
• e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21
• 834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78
• 0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49
• f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229
• 6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259
• d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee

References

• Novell Client 2 SP3 - 'nicm.sys' Local Privilege Escalation (Metasploit)
• CVE-2013-3956
• Windows Driver Signing Bypass by Derubsi

---

Rule: ID_FILEATTRIB_NICM_DRIVER

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

• Certificate Subject: Novell, Inc.
• Certificate Thumbprint: 4D8494B2925253999601FB1C749AFE098593B7FD
• Expected Filename: nicm.sys

Block Type

Signer, OriginalFileName, and FileVersion (up to 3.1.12.0)

Sources

• e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717
• 6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44
• 7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25
• c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746
• 94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915
• dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d
• 4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4
• a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00
• 6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7
• 00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd
• 18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7
• 8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7
• 3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928
• ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613
• 84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451
• 1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b
• e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f
• 1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7
• 76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb
• 6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d
• 904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a

References

• Novell Client 2 SP3 - 'nicm.sys' Local Privilege Escalation (Metasploit)
• CVE-2013-3956
• Windows Driver Signing Bypass by Derubsi

---

Rule: ID_FILEATTRIB_NSCM_DRIVER

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

• Certificate Subject: Novell, Inc.
• Certificate Thumbprint: FC641C2C18684C959C575078F8D3A0C887772FC9
• Expected Filename: nscm.sys

Block Type

Signer, OriginalFileName, and FileVersion (up to 3.1.12.0)

Sources

• 76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22
• 653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d
• ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d
• 1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd
• a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53
• a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6
• 49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94
• 14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c
• f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e
• c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1
• 202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213
• e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe
• 003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4
• b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763
• 5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa
• f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65
• 0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2
• 53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b
• e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce
• 41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f
• ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2

References

• Novell Client 2 SP3 - 'nicm.sys' Local Privilege Escalation (Metasploit)
• CVE-2013-3956
• Windows Driver Signing Bypass by Derubsi

---

Rule: ID_FILEATTRIB_MTCBSV64

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

• Authenticode Hash: da8945bd5c693c0593c9d0e3bda49bb1c6007cb25643c95708c6b10bef7c136a
• Certificate Subject: Mitac Technology Corporation
• Certificate Thumbprint: 805E6E5FC40F9AC8CA15873A8FB7D79FA8B56DA1
• Expected Filename: mtcBSv64.sys

Block Type

Signer, OriginalFileName, and FileVersion (up to 21.2.0.0)

Sources

• c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8

References

• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_FILEATTRIB_SANDRA_DRIVER

No VT hits for an OriginalFileName of sandra.sys were found. The following hashes represent matches for SANDRA. Either VT doesn't have any sandra.sys or the rule is mistaken (more likely).

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

• Certificate Subject: SiSoftware Ltd
• Certificate Thumbprint: CFAE1C952AA870C317D9D93DA857866D01EABB8A
• Expected Filename: sandra.sys

Block Type

Signer, OriginalFileName, and FileVersion (up to 10.12.0.0)

Sources

• 1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b
• 0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502
• cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183
• d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3
• 1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590

References

• Sandra exploited by Slingshot rootkit
• Slingshot Malware Uses IoT Device in Targeted Attacks
• The Slingshot APT

---

Rule: ID_FILEATTRIB_RTKIO64_DRIVER

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

• Certificate Subject: Realtek Semiconductor Corp
• Certificate Thumbprint: 0AE98618A1E26E64C5F2155B7C154B4C7864D4BD
• Expected Filename: rtkio64.sys

Block Type

Signer, OriginalFileName, and FileVersion (all versions)

Sources

• 4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7
• 7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129
• 3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1
• 074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761
• 442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c
• db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7
• 8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c
• a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af

References

• Kernel Driver Utility
• Realtek rtkio64 Windows driver privilege escalation
• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_FILEATTRIB_RTKIOW10X64_DRIVER

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

• Certificate Subject: Realtek Semiconductor Corp.
• Certificate Thumbprint: 37A0BACB152A547382195095AB33601929877364, A92732C50BFE429E49FCE2D69D1184B6CA111AB6
• Expected Filename: rtkiow10x64.sys

Block Type

Signer, OriginalFileName, and FileVersion (all versions)

Sources

• ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89
• 32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993

References

• Kernel Driver Utility
• Realtek rtkio64 Windows driver privilege escalation
• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_FILEATTRIB_RTKIOW8X64_DRIVER

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

• Certificate Subject: Realtek Semiconductor Corp.
• Certificate Thumbprint: 37A0BACB152A547382195095AB33601929877364, A92732C50BFE429E49FCE2D69D1184B6CA111AB6
• Expected Filename: rtkiow8x64.sys

Block Type

Signer, OriginalFileName, and FileVersion (all versions)

Sources

• b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038
• 082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d

References

• Kernel Driver Utility
• Realtek rtkio64 Windows driver privilege escalation
• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_FILEATTRIB_BSMI

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

• Certificate Subject: BIOSTAR MICROTECH INT'L CORP
• Certificate Thumbprint: 7B291F6E5B3DC1F097CEB6672372F8232A4F58A4
• Expected Filename: BSMI.sys

Block Type

Signer, OriginalFileName, and FileVersion (up to 1.0.0.3)

Sources

• 59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347
• 552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9

References

• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_FILEATTRIB_BS_HWMIO64

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

• Authenticode Hash: c3fa4872fd2c286904a0cf37a392ef89fb6ba2a84fc9e1b66c70e0cb5ae28efa
• Certificate Subject: Microsoft Windows Hardware Compatibility Publisher - Note: This doesn't not have a 3rd party vendor signature which is expected but not present. This particular certificate was generated for BIOSTAR MICROTECH INT'L CORP.
• Certificate Thumbprint: 6B3FFBCEF7BF128399AA034FE355D967E6780F5E
• Expected Filename: BS_HWMIO64_W10.sys

Block Type

Signer, OriginalFileName, and FileVersion (up to 10.0.1806.2200)

Sources

• 1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8

References

• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_FILEATTRIB_BS_I2CIO

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

• Certificate Subject: BIOSTAR MICROTECH INT'L CORP
• Certificate Thumbprint: 7B291F6E5B3DC1F097CEB6672372F8232A4F58A4
• Expected Filename: BS_I2cIo.sys

Block Type

Signer, OriginalFileName, and FileVersion (up to 1.1.0.0)

Sources

• f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65
• 42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb
• 55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a

References

• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_FILEATTRIB_NTIOLIB

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

• Certificate Subject: Micro-Star Int'l Co. Ltd.
• Certificate Thumbprint: BCDB94A96B793E5DB6D8A787A2523C7E9DC0678C
• Expected Filename: NTIOLib.sys

Block Type

Signer, OriginalFileName, and FileVersion (up to 1.0.0.0)

Sources

• d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530
• 50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793
• 79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57
• 6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4
• 99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1
• 89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be
• fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03
• 9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449
• b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d
• a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499

References

• rewolf-msi-exploit
• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_FILEATTRIB_NCHGBIOS2X64

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

No

Certificate Revoked

No

Relevant File Attributes

• Certificate Subject: TOSHIBA CORPORATION
• Certificate Thumbprint: F9B188589F62D41A26D358861C66A52F1ABC6BE8, F081ED769CCC746128FDC96F788DB6638534AF3E
• Expected Filename: NCHGBIOS2x64.SYS

Block Type

Signer, OriginalFileName, and FileVersion (up to 4.2.4.0)

Sources

• 314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073
• 7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8

References

• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_FILEATTRIB_SEGWINDRVX64

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

• Certificate Subject: Insyde Software Corp.
• Certificate Thumbprint: 05672CEF251C05574F909D97435AF41089DE57D9
• Expected Filename: segwindrvx64.sys

Block Type

Signer, OriginalFileName, and FileVersion (up to 100.0.7.2)

Sources

• b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c
• 65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd
• c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2
• 38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8
• 7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5
• 0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75
• 0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec

References

• Program:Win32/VulnInsydeDriver.A
• https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md

---

Rule: ID_SIGNER_MIMIKATZ_KERNEL

Rule Classification

Malicious Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

• Certificate Subject: Benjamin Delpy
• Certificate Thumbprint: AB9E92B943ED47D915BC26939E24A58303ACAA7E
• Expected Filename: mimidrv.sys

Block Type

Signer

Sources

• 4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919
• c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231
• d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96
• d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f
• ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0
• 41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f
• d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c
• d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be
• 443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85
• 2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304
• 0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550
• b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719
• 07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0
• 083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254
• 94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601
• 4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905
• 12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0
• 793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875
• 06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8
• efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576
• cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37
• 4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f
• 10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b
• a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778
• 85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2
• 1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524
• ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55
• 3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1
• 569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa
• 19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987
• 082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a
• e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59
• bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908
• 93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe
• 2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4
• aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e
• a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852
• f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1
• 0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06
• 95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167
• e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f
• c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da
• a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2
• f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5
• 492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263
• ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a
• 7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db
• 618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb
• 4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de
• 9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac
• 80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3
• d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff
• a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640
• a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7
• 1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80
• 200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a
• 9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392
• 008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25
• 36f45a42ebf2de6962db92aaf8845d7f9fd6895bedc31422adcf31c59a79602d
• e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15
• 4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1
• a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec
• 47356707e610cfd0be97595fbe55246b96a69141e1da579e6f662ddda6dc5280
• 02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715
• a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972
• 406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9
• b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c
• 704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4
• 3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6
• 1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6
• 2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2
• 8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434
• 31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6
• c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c
• 26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55
• 07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af
• f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad
• 4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021
• 60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9
• e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19
• 14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925
• 9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7
• 6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b
• 083a311875173f8c4653e9bbbabb689d14aa86b852e7fa9f5512fc60e0fd2c43
• dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1
• 0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35
• 087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212
• 82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2
• 8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b
• af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895
• 0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597
• 822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb
• 4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7
• f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac
• 29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe
• 7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d
• ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd
• 0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39
• 64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96
• c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c
• 5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968
• a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f
• 6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7
• 52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd
• a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66
• 28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553
• 7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28
• 2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21
• b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4
• 0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3
• 673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653
• deade507504d385d8cae11365a2ac9b5e2773ff9b61624d75ffa882d6bb28952
• b7956e31c2fcc0a84bcedf30e5f8115f4e74eed58916253a0c05c8be47283c57
• 62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920
• 773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894
• 36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475
• c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e
• 82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7
• 208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85
• 26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47
• b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a
• 4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b
• af7ca247bf229950fb48674b21712761ac650d33f13a4dca44f61c59f4c9ac46
• 62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266
• accb1a6604efb1b3ce9345c9fd62fe717a84c3e089e09c638e461df89193ef01
• 627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa
• 69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f
• 8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38
• 15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c
• d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad
• 51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93
• c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12
• 4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be
• c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc
• 2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8
• eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a
• bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0
• 469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870
• ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a
• e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8
• 897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736
• 818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab
• 94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112
• baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3
• b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03
• bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd
• 30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2
• c13f5bc4edfbe8f1884320c5d76ca129d00de41a1e61d45195738f125dfe60a7
• ece76b79feafb38ae4371e104b6dcbb4253ff3b2acbe5bd14ce6e47525c24f4a
• be70be9d84ae14ea1fa5ec68e2a61f6acfe576d965fe51c6bac78fba01a744fb
• e5ddfa39540d4e7ada56cdc1ebd2eb8c85a408ec078337488a81d1c3f2aaa4ff
• 3033ff03e6f523726638b43d954bc666cdd26483fa5abcf98307952ff88f80ee

References

• https://github.com/gentilkiwi/mimikatz
• Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver

---

Rule: ID_SIGNER_MIMIKATZ_USER

Rule Classification

Malicious Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

• Certificate Subject: Open Source Developer, Benjamin Delpy
• Certificate Thumbprint: 9431A67881C152112500E1BC89D4D37FD808DD71
• Expected Filename: mimidrv.sys

Block Type

Signer

Sources

• 2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878
• fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2
• aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9
• 40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a
• 8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe
• beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b
• 21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a
• b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09

References

• https://github.com/gentilkiwi/mimikatz
• Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver

---

Rule: ID_SIGNER_SPEEDFAN

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

• Certificate Subject: Sokno S.R.L.
• Certificate Thumbprint: 463E556B74FF56471F915D9C248B169DBC38EF34
• Expected Filename: speedfan.sys

Block Type

Signer

Sources

• f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560
• 0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e
• 965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb
• 22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c
• ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b
• 1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb
• 88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af

References

• SpeedFan - 'Speedfan.sys' Local Privilege Escalation
• CVE-2007-5633
• Slingshot Malware Uses IoT Device in Targeted Attacks
• The Slingshot APT
• Equation Group: Questions and Answers

---

Rule: ID_SIGNER_RWEVERY

Rule Classification

Dual-purpose Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

• Certificate Subject: ChongKim Chan
• Certificate Thumbprint: B6B53D538E235AAA987D75C52F73892C1CA4F9F2
• Expected Filename: RwDrv.sys

Block Type

Signer

Sources

• d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4
• d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d
• ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3
• bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042
• 83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c

References

• RWEverything - Read & Write Everything
• TrickBot's new 'TrickBoot' module infects your UEFI firmware
• Rapid Response: TrickBoot

---

Rule: ID_SIGNER_VBOX

Rule Classification

Exploitation of Vulnerable Driver

Known Abuse in the Wild

Yes

Certificate Revoked

Yes

Relevant File Attributes

• Certificate Subject: innotek GmbH
• Certificate Thumbprint: 32FAADEEBFF379AB63DE10B8636A9A9368743254
• Expected Filename: VBoxDrv.sys

Block Type

Signer

Sources

• cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986
• b50b11e2203942695380869c6072e15479290bc57da2ec5df3481a36b8a8561e
• 775000c4083c8e4dcfc879d83fcd27b40b46820c9834ae4662861386a4d81fe9
• d44848d3e845f8293974e8b621b72a61ec00c8d3cf95fcf41698bbbd4bdf5565
• bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec
• d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055
• 9a4e75da4609d08e1338c383727f5bb27accb13e8b491d1c22d7f21f4ddf91e5
• 3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40
• d998ea6d0051e17c1387c9f295b1c79bacb2f61c23809903445f60313d36c7fd
• cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783
• 8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145
• 5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291
• 73fddd441a764e808ed6d6b8f3d0d13713e61221aa3cfef7da91cdaf112fe061
• c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa
• 983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd
• 994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4

References

• Uroburos – Deeper travel into kernel protection mitigation
• VirtualBox Privilege Escalation Vulnerability
• CVE-2008-3431
• Anatomy of Turla exploits
• Bring Your Own Vulnerable Kernel Driver

---

Rule: ID_DENY_RETLIFTEN_*

Rule Classification

Malicious Driver

Known Abuse in the Wild

Yes

Certificate Revoked

No

Relevant File Attributes

• Certificate Subject: Microsoft Windows Hardware Compatibility Publisher
• Certificate Thumbprint: 38B7C74E37392713E436E19A2BE053100115DA88 Note: This doesn't not have a 3rd party vendor signature which is expected but not present. This particular certificate was generated for Globalsign 中国.
• Expected Filename: netfilterdrv.sys

Block Type

Authenticode Hash

Sources

• 6a6db5febdaf3f1577bf97c6e1e24913e6c78b134062c02fd1f9875099c03a3f
• 3700b38d63d426ff0a985226b45eca6e24d052f4262d12aff529e62c2cb889c3
• 8249e9c0ac0840a36d9a5b9ff3e217198a2f533159acd4bf3d9b0132cc079870
• 63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0
• e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37
• 1aa8ba45f9524847e2a36c0dc6fd80162923e88dc1be217dde2fb5894c65ff43
• f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca
• d60fdabaf5a0ab375361d2ed1a9b39832bdb8bd33466d6c43d42a48ba2ffd274
• 115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406
• 70b63dfc3ed2b89a4eb8a0aa6c26885f460e5686d21c9d32413df0cdc5f962c7

References

• Microsoft signed a malicious Netfilter rootkit