From 82ad1cdce8e243db6d264cd120f205bbe45373ec Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Sun, 30 Jul 2023 08:10:37 -0600 Subject: [PATCH] Cleanup on aisle 101 --- .../13629878-55d1-4d2e-94dc-2f1ee4b75350.yaml | 2 +- .../dcdb48ea-6e14-491d-8785-d15f5d61fb04.yaml | 2 +- .../04f580fd-a5de-4172-87b2-109ca6081eed.yaml | 206 --------------- .../14556074-b235-4378-b356-f58721629d72.yaml | 165 +++++++++++- .../2a6a38ca-f2e6-456e-9ccf-db59d8c80c9e.yaml | 2 +- .../7f221b69-bdf6-41ad-a3a4-2a4a090005a3.yaml | 240 ------------------ .../9454a752-233e-4ba2-b585-8da242bf8f31.yaml | 198 ++++++++++++++- yaml/a7628504-9e35-4e42-91f7-0c0a512549f4.yml | 2 +- .../bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml | 5 +- .../ecabc507-2cc7-4011-89ab-7d9d659e6f88.yaml | 2 +- 10 files changed, 368 insertions(+), 456 deletions(-) rename {yaml => old}/13629878-55d1-4d2e-94dc-2f1ee4b75350.yaml (99%) rename {yaml => old}/dcdb48ea-6e14-491d-8785-d15f5d61fb04.yaml (99%) delete mode 100644 yaml/04f580fd-a5de-4172-87b2-109ca6081eed.yaml delete mode 100644 yaml/7f221b69-bdf6-41ad-a3a4-2a4a090005a3.yaml diff --git a/yaml/13629878-55d1-4d2e-94dc-2f1ee4b75350.yaml b/old/13629878-55d1-4d2e-94dc-2f1ee4b75350.yaml similarity index 99% rename from yaml/13629878-55d1-4d2e-94dc-2f1ee4b75350.yaml rename to old/13629878-55d1-4d2e-94dc-2f1ee4b75350.yaml index 6868b2679..573edc535 100644 --- a/yaml/13629878-55d1-4d2e-94dc-2f1ee4b75350.yaml +++ b/old/13629878-55d1-4d2e-94dc-2f1ee4b75350.yaml @@ -184,5 +184,5 @@ MitreID: T1068 Resources: - https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c Tags: -- myfile.exe +- mimikatz.sys Verified: 'TRUE' diff --git a/yaml/dcdb48ea-6e14-491d-8785-d15f5d61fb04.yaml b/old/dcdb48ea-6e14-491d-8785-d15f5d61fb04.yaml similarity index 99% rename from yaml/dcdb48ea-6e14-491d-8785-d15f5d61fb04.yaml rename to old/dcdb48ea-6e14-491d-8785-d15f5d61fb04.yaml index 08ce6fe8d..e8db8638c 100644 --- a/yaml/dcdb48ea-6e14-491d-8785-d15f5d61fb04.yaml +++ b/old/dcdb48ea-6e14-491d-8785-d15f5d61fb04.yaml @@ -217,5 +217,5 @@ MitreID: T1068 Resources: - https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c Tags: -- d3 +- netfilter.sys Verified: 'TRUE' diff --git a/yaml/04f580fd-a5de-4172-87b2-109ca6081eed.yaml b/yaml/04f580fd-a5de-4172-87b2-109ca6081eed.yaml deleted file mode 100644 index 90242090b..000000000 --- a/yaml/04f580fd-a5de-4172-87b2-109ca6081eed.yaml +++ /dev/null @@ -1,206 +0,0 @@ -Acknowledgement: - Handle: '' - Person: '' -Author: Michael Haag -CVE: -- '' -Category: vulnerable drivers -Commands: - Command: '' - Description: Confirmed vulnerable driver from Microsoft Block List - OperatingSystem: Windows - Privileges: kernel - Usecase: Elevate privileges -Created: '2023-07-22' -Detection: -- type: '' - value: '' -Id: 04f580fd-a5de-4172-87b2-109ca6081eed -KnownVulnerableSamples: -- Authentihash: - MD5: 743d201f6bc28cef84e7f80979bbd591 - SHA1: 7a68999c9c27ce9f3709091bbc7bb9bd0ed2315c - SHA256: 1cc70915340c82975727566bcdde5865a8bad3a357c3ac9b8ef2e444623be8e7 - Company: innotek GmbH - Copyright: (C) 2004-2007 innotek GmbH - CreationTimestamp: '2008-02-19 09:08:50' - Date: '' - Description: VirtualBox Display Driver - ExportedFunctions: - - AssertMsg1 - - AssertMsg2 - - RTCrc64 - - RTCrc64Finish - - RTCrc64Process - - RTCrc64Start - - RTLogBackdoorPrintf - - RTLogBackdoorPrintfV - - RTLogFormatV - - RTLogWriteUser - - RTStrFormat - - RTStrFormatNumber - - RTStrFormatV - FileVersion: 1.5.6.28241 - Filename: '' - ImportedFunctions: - - EngDeviceIoControl - - EngAllocMem - - EngCreateSemaphore - - EngDeleteSemaphore - - EngFreeMem - - EngDeleteSurface - - EngUnlockSurface - - EngAssociateSurface - - EngLockSurface - - EngCreateBitmap - - EngCreateDeviceSurface - - EngDeletePalette - - EngCreatePalette - - PALOBJ_cGetColors - - EngCopyBits - - EngBitBlt - - EngTextOut - - EngLineTo - - EngStretchBlt - - EngPaint - - EngFillPath - - EngStrokePath - - PATHOBJ_vGetBounds - - CLIPOBJ_bEnum - - CLIPOBJ_cEnumStart - - BRUSHOBJ_pvGetRbrush - - PATHOBJ_bEnum - - PATHOBJ_vEnumStart - - BRUSHOBJ_pvAllocRbrush - - EngReleaseSemaphore - - EngAcquireSemaphore - Imports: - - WIN32K.SYS - InternalName: VBoxDisp.dll - MD5: 05f400fea7f03ae0330d349013ebd33a - MachineType: I386 - MagicHeader: 50 45 0 0 - OriginalFilename: VBoxDisp.dll - PDBPath: '' - Product: VirtualBox Guest Tools - ProductVersion: 1.5.6.28241 - Publisher: '' - RichPEHeaderHash: - MD5: e6693e932a2cba52bdd649bc2518728a - SHA1: e246a95659791515c454adfeca0a7522bdc5196f - SHA256: 13df379d5416d51f502c097e2a082b18f65df609b55cbfb376166bb1aa59bd15 - SHA1: ffe743673f3de27f8810184fb35b315e2cf19c2b - SHA256: 9a4e75da4609d08e1338c383727f5bb27accb13e8b491d1c22d7f21f4ddf91e5 - Sections: - .text: - Entropy: 6.452487966634651 - Virtual Size: '0x83a8' - .rdata: - Entropy: 3.8498709325870695 - Virtual Size: '0x1440' - .data: - Entropy: 5.543682562488848 - Virtual Size: '0x1548' - .edata: - Entropy: 4.821178153762516 - Virtual Size: '0x16f' - INIT: - Entropy: 5.055018497711608 - Virtual Size: '0x2f8' - .rsrc: - Entropy: 3.256105793257316 - Virtual Size: '0x3d0' - .reloc: - Entropy: 6.344888472907673 - Virtual Size: '0x4b2' - Signature: '' - Signatures: - - CertificatesInfo: '' - SignerInfo: '' - Certificates: - - Subject: C=DE, O=innotek GmbH, CN=innotek GmbH, emailAddress=info@innotek.de - ValidFrom: '2007-12-27 14:37:17' - ValidTo: '2010-12-27 14:37:17' - Signature: 2a6d31919705290526ee3286d2825883af75a52ec1257276e9ab0eeff47a83adeab4bc2068eb7f76f84a356d466012e17b91d4f5c2913d28c73ee15018243e2ba7487f70d21f954eeeefb9854fc980d1ee61bf9a779e6e9a661938d7d9d6d101ddb49a9917264622f0ce4d63ac106b50769c38e9361a34f6cf5c5cae3ef50eb2a49d0f02c001af28d1f1fe250f2c99e5436b485a107eab17295180e5750eb31faee1ea0937a827bc140906a014b85409d8c48afbfcee20bf53f4e74661c1f555823c4bee18fde06e1e3e44fb8930e3ea84385e5006fd994fe8e69205a84ed7ed0f25c7b9f8fcb6f7d5b30188c27bf99050175afb1fc60f89ed2462ce999ca5dc - SignatureAlgorithmOID: 1.2.840.113549.1.1.5 - IsCertificateAuthority: true - SerialNumber: 010000000001171c092665 - Version: 3 - TBS: - MD5: 5cfd8530475b20ed5a2bed70b37ee977 - SHA1: 4761dbd41ba2b01f21b9306ca21e8add93a30f09 - SHA256: 219041cc8d9e3248c69d9b116d440a0bbaa6aa500aa0c5de2d5af15908d83c7f - - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , - G2 - ValidFrom: '2007-06-15 00:00:00' - ValidTo: '2012-06-14 23:59:59' - Signature: 50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233 - SignatureAlgorithmOID: 1.2.840.113549.1.1.5 - IsCertificateAuthority: false - SerialNumber: 3825d7faf861af9ef490e726b5d65ad5 - Version: 3 - TBS: - MD5: d6c7684e9aaa508cf268335f83afe040 - SHA1: 18066d20ad92409c567cdfde745279ff71c75226 - SHA256: a612fb22ce8be6dab75e47c98508f98496583e79c9c97b936a8caee9ea9f3fff - - Subject: C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA - ValidFrom: '2003-12-04 00:00:00' - ValidTo: '2013-12-03 23:59:59' - Signature: 4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a - SignatureAlgorithmOID: 1.2.840.113549.1.1.5 - IsCertificateAuthority: true - SerialNumber: 47bf1995df8d524643f7db6d480d31a4 - Version: 3 - TBS: - MD5: 518d2ea8a21e879c942d504824ac211c - SHA1: 21ce87d827077e61abddf2beba69fde5432ea031 - SHA256: 1ec3b4f02e03930a470020e0e48d24b84678bb558f46182888d870541f5e25c7 - - Subject: C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign - Primary Object Publishing CA - ValidFrom: '1999-01-28 12:00:00' - ValidTo: '2014-01-27 11:00:00' - Signature: a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10 - SignatureAlgorithmOID: 1.2.840.113549.1.1.5 - IsCertificateAuthority: true - SerialNumber: 04000000000108d9611cd6 - Version: 3 - TBS: - MD5: 698f075151097d84c0b1f3e7bc3d6fca - SHA1: 041750993d7c9e063f02dfe74699598640911aab - SHA256: a8622cca0913a20477be8313b8d16fcad5d83088b46b36ddac10b31e96abb5e8 - - Subject: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign - CA - ValidFrom: '2004-01-22 09:00:00' - ValidTo: '2014-01-27 10:00:00' - Signature: 11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574 - SignatureAlgorithmOID: 1.2.840.113549.1.1.5 - IsCertificateAuthority: true - SerialNumber: 04000000000108d9612448 - Version: 3 - TBS: - MD5: 2fc76031fc24eec1ef3db2d246d21d6a - SHA1: 75c3a1f76b9dfa31ef6bf56325e7bd0bf6e4779d - SHA256: 9238292d441c56dc89684c253343c17de3ed9cecd7f83d1d8f793b5ebc91f7b9 - - Subject: C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA - ValidFrom: '2006-05-23 17:00:51' - ValidTo: '2016-05-23 17:10:51' - Signature: 13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461 - SignatureAlgorithmOID: 1.2.840.113549.1.1.5 - IsCertificateAuthority: true - SerialNumber: 610b7f6b000000000019 - Version: 3 - TBS: - MD5: 4798d55be7663a75649cda4dedc686ef - SHA1: 0f1ab2937b245d9466ea6f9bf056a5942e3989cf - SHA256: ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1 - Signer: - - SerialNumber: 010000000001171c092665 - Issuer: C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign - CA - Version: 1 -MitreID: T1068 -Resources: -- https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c -Tags: -- VBoxDisp.dll -Verified: 'TRUE' diff --git a/yaml/14556074-b235-4378-b356-f58721629d72.yaml b/yaml/14556074-b235-4378-b356-f58721629d72.yaml index 980577dfd..11c4a3b73 100644 --- a/yaml/14556074-b235-4378-b356-f58721629d72.yaml +++ b/yaml/14556074-b235-4378-b356-f58721629d72.yaml @@ -1808,9 +1808,172 @@ KnownVulnerableSamples: - SerialNumber: 112169417a1c3ef46a301f99385f50680fa0 Issuer: C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2 Version: 1 +- Authentihash: + MD5: 93936f2a18b6a8501653ef021972d628 + SHA1: c08664c9293219c245006ff18ae75de42722ca60 + SHA256: be25688313f29d7e62c996572825c33f3dcdda373ec235efe552aeb2219990bb + Company: '' + Copyright: '' + CreationTimestamp: '2013-08-17 16:23:52' + Date: '' + Description: '' + ExportedFunctions: '' + FileVersion: '' + Filename: '' + ImportedFunctions: + - RtlCompareMemory + - IoCreateSymbolicLink + - IoCreateDevice + - DbgPrint + - PsProcessType + - PsGetProcessImageFileName + - PsReferencePrimaryToken + - ZwOpenProcessTokenEx + - ZwSetInformationProcess + - ZwClose + - ZwDuplicateToken + - PsInitialSystemProcess + - ObOpenObjectByPointer + - IofCompleteRequest + - PsDereferencePrimaryToken + - ExAllocatePoolWithTag + - ExFreePoolWithTag + - IoEnumerateRegisteredFiltersList + - ObfDereferenceObject + - MmGetSystemRoutineAddress + - CcMdlRead + - SeImpersonateClientEx + - PsSetCreateThreadNotifyRoutine + - PsSetLoadImageNotifyRoutine + - CmUnRegisterCallback + - KeBugCheckEx + - _vsnwprintf + - IoDeleteDevice + - RtlInitUnicodeString + - NtBuildNumber + - PsGetProcessId + - IoDeleteSymbolicLink + - PsGetVersion + - ExAllocatePoolWithQuotaTag + - ZwQuerySystemInformation + - RtlUnwindEx + - FltGetFilterInformation + - FltEnumerateInstances + - FltEnumerateFilters + - FltObjectDereference + - FltGetVolumeFromInstance + Imports: + - ntoskrnl.exe + - FLTMGR.SYS + InternalName: '' + MD5: 84763d8ca9fe5c3bff9667b2adf667de + MachineType: AMD64 + MagicHeader: 50 45 0 0 + OriginalFilename: '' + PDBPath: '' + Product: '' + ProductVersion: '' + Publisher: '' + RichPEHeaderHash: + MD5: 6931e969068f58678830e6bb4ee1ae49 + SHA1: bd694fda9f3f6b6a24e205b6027faf20b7d02b7a + SHA256: 0ba61ea701b8a9e1bae7234e761b74c12b4262a3798d4525ce4b626affb6fc9a + SHA1: 8b9dd4c001f17e7835fdaf0d87a2f3e026557e84 + SHA256: 2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304 + Sections: + .data: + Entropy: 1.4269125817182893 + Virtual Size: '0x2b8' + .pdata: + Entropy: 3.9170697014365152 + Virtual Size: '0x1f8' + .rdata: + Entropy: 4.063554093583363 + Virtual Size: '0x940' + .reloc: + Entropy: 2.8064493688417227 + Virtual Size: '0xa4' + .text: + Entropy: 6.097853212616491 + Virtual Size: '0x37f6' + INIT: + Entropy: 5.100311543493838 + Virtual Size: '0x5cc' + PAGE: + Entropy: 6.079756252073022 + Virtual Size: '0x28b' + Signature: '' + Signatures: + - Certificates: + - IsCertificateAuthority: true + SerialNumber: 0400000000012019c19066 + Signature: 5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + Subject: OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA + TBS: + MD5: 42023b9487cafe46c1b6a49c369a362e + SHA1: 7c7b524d269334b9f073c32e888e09544c6acd98 + SHA256: b7126567833f3daa4085ff41e73112daad3d1e3808a942c1936520e2d6c46c78 + ValidFrom: '2009-03-18 11:00:00' + ValidTo: '2028-01-28 12:00:00' + Version: 3 + - IsCertificateAuthority: true + SerialNumber: 0400000000012f4ee1355c + Signature: 225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + Subject: C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2 + TBS: + MD5: f6a9e8eb8784f3f694b4e353c08a0ff5 + SHA1: 589a7d4df869395601ba7538a65afae8c4616385 + SHA256: cbdc9a0ad785d0c2013211746b42234e18bdc7d54a7a260647badc1c9e712ed4 + ValidFrom: '2011-04-13 10:00:00' + ValidTo: '2019-04-13 10:00:00' + Version: 3 + - IsCertificateAuthority: false + SerialNumber: 01000000000125b0b4cc01 + Signature: bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + Subject: C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority + TBS: + MD5: e3369c8e5aec0504b3a50455f615d9f9 + SHA1: 13c244a894b40ecd18aaf97c362f20385bd005a7 + SHA256: 26da721a670c72836926032fee6920118bfb9bff89cc8d0ce30d9452c33f2532 + ValidFrom: '2009-12-21 09:32:56' + ValidTo: '2020-12-22 09:32:56' + Version: 3 + - IsCertificateAuthority: false + SerialNumber: 112169417a1c3ef46a301f99385f50680fa0 + Signature: 7fb3e0f79a942f494fd6e5cd42f04eea33420dc8c6285b79807d4e8cd45ec65fa9a5abcf516482827302f51cc924e484461c67d6b3338ebbaf39129dda0b6d617a25bad53f7ed4af3c934bed8d683091e72b93668d6623670d9cc6d8f4999e896ec6c707d5acaddcae899be3ae42945efbd9e60a36bfb49e6fef09179f02c5c49059c159c2ccaf2e9e171dcd0476dfbffbb7f3a4d59a36ef9e7931aaab9c9821527e6081c2a57ce78863caaf81cb50537956191320b48053552b3ee2bc64878ae903105a8a4d4a85bf235040d02215601143aa9a304eeb5058354f9195069ceb08cdf1f07ec0575b64b0d1840947df070c3c65571226da895da14ac6ae5bd3b8 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + Subject: C=FR, CN=Benjamin Delpy + TBS: + MD5: ee0a53dda8301d1e78bd5487f1d49bf4 + SHA1: 5538f8cd492c2ec8d581f3665d2b4217c86fa19a + SHA256: a39725e610e1a556e7bdfad56f59d24a5278073378a5d9880e14395bbd808deb + ValidFrom: '2011-06-28 09:46:16' + ValidTo: '2014-06-28 09:46:16' + Version: 3 + - IsCertificateAuthority: true + SerialNumber: 610b7f6b000000000019 + Signature: 13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + Subject: C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA + TBS: + MD5: 4798d55be7663a75649cda4dedc686ef + SHA1: 0f1ab2937b245d9466ea6f9bf056a5942e3989cf + SHA256: ef14ea05bb066ee9f4188196dd69cd769b283ac4d7555db52f5e76922d3456e1 + ValidFrom: '2006-05-23 17:00:51' + ValidTo: '2016-05-23 17:10:51' + Version: 3 + CertificatesInfo: '' + Signer: + - Issuer: C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2 + SerialNumber: 112169417a1c3ef46a301f99385f50680fa0 + Version: 1 + SignerInfo: '' MitreID: T1068 Resources: - https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c Tags: - mimikatz.sys -Verified: 'TRUE' +Verified: 'TRUE' \ No newline at end of file diff --git a/yaml/2a6a38ca-f2e6-456e-9ccf-db59d8c80c9e.yaml b/yaml/2a6a38ca-f2e6-456e-9ccf-db59d8c80c9e.yaml index 3dae2b4aa..8782b6595 100644 --- a/yaml/2a6a38ca-f2e6-456e-9ccf-db59d8c80c9e.yaml +++ b/yaml/2a6a38ca-f2e6-456e-9ccf-db59d8c80c9e.yaml @@ -177,5 +177,5 @@ MitreID: T1068 Resources: - https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c Tags: -- file +- nvflash.sys Verified: 'TRUE' diff --git a/yaml/7f221b69-bdf6-41ad-a3a4-2a4a090005a3.yaml b/yaml/7f221b69-bdf6-41ad-a3a4-2a4a090005a3.yaml deleted file mode 100644 index 3b8b396db..000000000 --- a/yaml/7f221b69-bdf6-41ad-a3a4-2a4a090005a3.yaml +++ /dev/null @@ -1,240 +0,0 @@ -Acknowledgement: - Handle: '' - Person: '' -Author: Michael Haag -CVE: -- '' -Category: vulnerable drivers -Commands: - Command: '' - Description: Confirmed vulnerable driver from Microsoft Block List - OperatingSystem: Windows - Privileges: kernel - Usecase: Elevate privileges -Created: '2023-07-22' -Detection: -- type: '' - value: '' -Id: 7f221b69-bdf6-41ad-a3a4-2a4a090005a3 -KnownVulnerableSamples: -- Authentihash: - MD5: 07d92a295ee543234903293c356f7934 - SHA1: 8081e736d0b4194aa8b3e7d321b6d87a4a202889 - SHA256: 55ecc80adf0c234708383190f79685086bccebc61382cae47ad10f19f5e68009 - Company: '' - Copyright: '' - CreationTimestamp: '2014-08-01 01:37:10' - Date: '' - Description: '' - ExportedFunctions: '' - FileVersion: 4.4.1.9596 - Filename: '' - ImportedFunctions: - - InitCommonControlsEx - - SHGetPathFromIDListW - - SHGetFileInfoW - - CommandLineToArgvW - - ShellExecuteW - - ShellExecuteExW - - SHGetMalloc - - SHBrowseForFolderW - - SHGetSpecialFolderLocation - - CreateFileA - - FreeLibrary - - GetProcessHeap - - HeapAlloc - - GetLastError - - GetProcAddress - - HeapFree - - LoadLibraryW - - GetModuleFileNameW - - LocalFree - - WaitForSingleObject - - CreateProcessW - - SetCurrentDirectoryW - - GetCurrentDirectoryW - - CloseHandle - - SetFileApisToOEM - - GetCurrentProcess - - GetCurrentThread - - SetPriorityClass - - GetEnvironmentVariableW - - SetThreadPriority - - GetVersionExW - - GetModuleHandleW - - ExpandEnvironmentStringsW - - CreateFileW - - GetCommandLineW - - DeleteFileW - - GetFileAttributesW - - RemoveDirectoryW - - CreateDirectoryW - - FindClose - - FindNextFileW - - FindFirstFileW - - FormatMessageW - - InterlockedExchangeAdd - - SetEndOfFile - - SetFileTime - - WriteFile - - SetFilePointer - - GetFileSize - - ReadFile - - MultiByteToWideChar - - WideCharToMultiByte - - InitializeCriticalSection - - LeaveCriticalSection - - EnterCriticalSection - - DeleteCriticalSection - - MoveFileW - - lstrlenW - - GetTempPathW - - GetFullPathNameW - - GetWindowsDirectoryW - - GetTempFileNameW - - SetFileAttributesW - - GetLongPathNameW - - ResetEvent - - CreateEventW - - SetEvent - - FindResourceW - - FileTimeToSystemTime - - SetStdHandle - - WriteConsoleW - - GetConsoleOutputCP - - WriteConsoleA - - GetStringTypeW - - GetStringTypeA - - GetLocaleInfoA - - LoadLibraryA - - HeapReAlloc - - VirtualAlloc - - FlushFileBuffers - - GetConsoleMode - - GetConsoleCP - - LCMapStringW - - LCMapStringA - - GetCurrentProcessId - - GetTickCount - - QueryPerformanceCounter - - VirtualFree - - HeapCreate - - HeapDestroy - - GetStartupInfoA - - GetACP - - WaitForMultipleObjects - - ResumeThread - - GetFileType - - SetHandleCount - - GetCommandLineA - - GetEnvironmentStringsW - - FreeEnvironmentStringsW - - GetEnvironmentStrings - - FreeEnvironmentStringsA - - IsValidCodePage - - TerminateProcess - - UnhandledExceptionFilter - - SetUnhandledExceptionFilter - - IsDebuggerPresent - - GetSystemTimeAsFileTime - - GetVersionExA - - GetStartupInfoW - - ExitThread - - GetCurrentThreadId - - CreateThread - - RaiseException - - RtlUnwind - - GetModuleHandleA - - TlsGetValue - - TlsAlloc - - TlsSetValue - - TlsFree - - InterlockedIncrement - - SetLastError - - InterlockedDecrement - - Sleep - - HeapSize - - ExitProcess - - GetStdHandle - - GetModuleFileNameA - - GetCPInfo - - GetOEMCP - - TranslateMessage - - IsWindowVisible - - EnableWindow - - GetMessageW - - KillTimer - - DispatchMessageW - - PostQuitMessage - - CreateDialogParamW - - ScreenToClient - - DestroyIcon - - IsWindow - - ShowWindow - - MessageBoxW - - PostMessageW - - DialogBoxParamW - - SetWindowPos - - GetWindowRect - - GetSystemMetrics - - GetWindowTextW - - SetWindowTextW - - GetDlgItem - - SendMessageW - - EndDialog - - SetFocus - - LoadIconW - - GetDesktopWindow - - LoadStringW - - SetTimer - - IsDialogMessageW - - DeleteObject - - CreateSolidBrush - - CoUninitialize - - CoTaskMemFree - - CoInitializeEx - - CoCreateInstance - - CoInitialize - Imports: - - COMCTL32.dll - - SHELL32.dll - - KERNEL32.dll - - USER32.dll - - GDI32.dll - - ole32.dll - InternalName: '' - MD5: 85bd61f697d33131fd6609fbc7337ebf - MachineType: I386 - MagicHeader: 50 45 0 0 - OriginalFilename: '' - PDBPath: '' - Product: '' - ProductVersion: '4.4' - Publisher: '' - RichPEHeaderHash: - MD5: dfcfc6a02ddd326f58049ed74c742afd - SHA1: b7f6386a0252574ac5b2b5b7dc9c870426dce32d - SHA256: f0dbb3a42d7c94e8ef47b0f7c5c36a6281a7623f7995a61413e616a96db583c0 - SHA1: eb1a5457010b07393ffd4c8c8206e83e737290ec - SHA256: 272d3541491b145e93c47b225769ef65a53b5f8586ed6edb991f763ee5300417 - Sections: - .text: - Entropy: 6.629799424341935 - Virtual Size: '0x40475' - .rdata: - Entropy: 4.912185025833945 - Virtual Size: '0xcc84' - .data: - Entropy: 4.945319467301306 - Virtual Size: '0xa3e0' - .rsrc: - Entropy: 6.594798012652241 - Virtual Size: '0x121ac' - Signature: '' - Signatures: {} -MitreID: T1068 -Resources: -- https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c -Tags: -- powertools.exe -Verified: 'TRUE' diff --git a/yaml/9454a752-233e-4ba2-b585-8da242bf8f31.yaml b/yaml/9454a752-233e-4ba2-b585-8da242bf8f31.yaml index d0f6a3bff..ea166cbcc 100644 --- a/yaml/9454a752-233e-4ba2-b585-8da242bf8f31.yaml +++ b/yaml/9454a752-233e-4ba2-b585-8da242bf8f31.yaml @@ -2547,9 +2547,205 @@ KnownVulnerableSamples: Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012 Version: 1 +- Authentihash: + MD5: 5064073c3f84f1569377081c4ad33867 + SHA1: aca8e53483b40a06dfdee81bb364b1622f9156fe + SHA256: 3d31118a2e92377ecb632bd722132c04af4e65e24ff87743796c75eb07cfcd71 + Company: '' + Copyright: '' + CreationTimestamp: '2021-05-15 06:44:55' + Date: '' + Description: '' + ExportedFunctions: '' + FileVersion: '' + Filename: '' + ImportedFunctions: + - FwpsAcquireClassifyHandle0 + - FwpsReleaseClassifyHandle0 + - FwpmFilterDeleteById0 + - FwpsAcquireWritableLayerDataPointer0 + - FwpsApplyModifiedLayerData0 + - FwpmFilterAdd0 + - FwpmCalloutAdd0 + - FwpmSubLayerDeleteByKey0 + - FwpmSubLayerAdd0 + - FwpmTransactionAbort0 + - FwpmTransactionCommit0 + - FwpmTransactionBegin0 + - FwpmEngineClose0 + - FwpmEngineOpen0 + - FwpsCalloutUnregisterById0 + - FwpsCompleteClassify0 + - FwpsCalloutRegister1 + - IofCallDriver + - IoCreateFile + - IoFreeIrp + - IoGetRelatedDeviceObject + - ObReferenceObjectByHandle + - ObfDereferenceObject + - ZwQueryInformationFile + - ZwSetInformationFile + - ZwReadFile + - ZwWriteFile + - ZwClose + - IoFileObjectType + - KeEnterCriticalRegion + - KeLeaveCriticalRegion + - PsTerminateSystemThread + - KeSetBasePriorityThread + - sprintf + - CmUnRegisterCallback + - CmRegisterCallbackEx + - CmCallbackGetKeyObjectID + - MmIsAddressValid + - strlen + - strncmp + - strncpy + - wcscat + - wcslen + - wcsncmp + - RtlInitAnsiString + - strcat + - strcmp + - strncat + - ExAllocatePoolWithTag + - ExAcquireSpinLockExclusive + - ExReleaseSpinLockExclusive + - wcscpy + - RtlAnsiStringToUnicodeString + - RtlFreeUnicodeString + - RtlCreateSecurityDescriptor + - RtlSetDaclSecurityDescriptor + - KeResetEvent + - KeInitializeTimerEx + - KeSetTimerEx + - PsCreateSystemThread + - ZwCreateKey + - ZwOpenKey + - ZwFlushKey + - ZwQueryValueKey + - ZwSetValueKey + - NtQueryInformationToken + - RtlLengthSid + - RtlConvertSidToUnicodeString + - RtlCreateAcl + - RtlAddAccessAllowedAce + - RtlSetOwnerSecurityDescriptor + - PsLookupProcessByProcessId + - ObOpenObjectByPointer + - ZwOpenProcessTokenEx + - ZwSetSecurityObject + - PsGetProcessImageFileName + - _allmul + - PsProcessType + - SeExports + - strchr + - strncpy_s + - MmProbeAndLockPages + - MmUnlockPages + - IoAllocateMdl + - IoFreeMdl + - IoReuseIrp + - IoAllocateIrp + - RtlUnwind + - KeWaitForSingleObject + - KeSetEvent + - KeInitializeEvent + - KeGetCurrentThread + - IoDeleteSymbolicLink + - KeBugCheckEx + - ExFreePoolWithTag + - RtlInitUnicodeString + - RtlCopyUnicodeString + - strcpy + - memset + - memcpy + - strstr + - WskDeregister + - WskReleaseProviderNPI + - WskCaptureProviderNPI + - WskRegister + - KeGetCurrentIrql + - WdfVersionBind + - WdfVersionBindClass + - WdfVersionUnbindClass + - WdfVersionUnbind + Imports: + - fwpkclnt.sys + - ntoskrnl.exe + - NETIO.SYS + - HAL.dll + - WDFLDR.SYS + InternalName: '' + MD5: cb34374f1b5fb771076872c6b14b7501 + MachineType: I386 + MagicHeader: 50 45 0 0 + OriginalFilename: '' + PDBPath: '' + Product: '' + ProductVersion: '' + Publisher: '' + RichPEHeaderHash: + MD5: f0b684c190bdbac4aa311a7355122963 + SHA1: b7866474ab0a322b84086fccf1948d5a8b7f03a0 + SHA256: 33c5dfb8ba99a1d23f6a99cb34c04977b2455fa6c59e79dbad4d910516357bae + SHA1: 118f688c30a2f6c2d1feb955f53ce4acf3086b3b + SHA256: e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37 + Sections: + .data: + Entropy: 0.6890836305716007 + Virtual Size: '0x9428' + .rdata: + Entropy: 4.565535020821956 + Virtual Size: '0x5f4' + .reloc: + Entropy: 6.678416291453968 + Virtual Size: '0x694' + .text: + Entropy: 6.340579412340497 + Virtual Size: '0x5de8' + INIT: + Entropy: 5.674405086792681 + Virtual Size: '0xb48' + Signature: '' + Signatures: + - Certificates: + - IsCertificateAuthority: false + SerialNumber: 33000000b5213fca1e4aa03de40000000000b5 + Signature: 0d2d53cd15a8feddcb17e2df1bf7dc1aef21e98c6cd220f58b593824849c134a0f1add59ce42ef80ddf47860273013604d9568ec5894a797bd4e571432a9aaf10ab04dd1c038b26ab7c5ca3a9c88d009267fab56254525546a0a055fb37b9cd8029c7d501809fc8b11482c7a4347b3ad29f35427c9570e87117db52cc94864259274b9e2e758f918a3af1fdb9f9d40ffa3ae2e2ae012fb97a436258642a2a4223dc6690db88103a6e5220646bd8afb3d12eb894ac28b527396a1965408487f6ab878b3c474b8c960842861ae8e799a3d2a8d6f918f50f8e26bb1ed6ced47be36e447574e8568582964ff31cd288b9c7f8d7e6a46d6c3d92f5c101fe1522a720c + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Hardware Compatibility Publisher + TBS: + MD5: a0dd89c33c4973bf6758331e200fb6de + SHA1: 65ff7fa429c0f08f8a8bf30509e8ca2919d9edb5 + SHA256: 29a7b646af062aee3bf37d1ba190211365116db7d7aa4cb87ba268843262ae47 + ValidFrom: '2020-12-15 22:15:33' + ValidTo: '2021-12-02 22:15:33' + Version: 3 + - IsCertificateAuthority: true + SerialNumber: 610baac1000000000009 + Signature: 5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f + SignatureAlgorithmOID: 1.2.840.113549.1.1.11 + Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2012 + TBS: + MD5: a569061297e8e824767dbc3184a69bea + SHA1: adbb26a587a8f44b4fccaecb306f980d1c55a150 + SHA256: cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 + ValidFrom: '2012-04-18 23:48:38' + ValidTo: '2027-04-18 23:58:38' + Version: 3 + CertificatesInfo: '' + Signer: + - Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft + Windows Third Party Component CA 2012 + SerialNumber: 33000000b5213fca1e4aa03de40000000000b5 + Version: 1 + SignerInfo: '' MitreID: T1068 Resources: - https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c Tags: - Netfilter.sys -Verified: 'TRUE' +Verified: 'TRUE' \ No newline at end of file diff --git a/yaml/a7628504-9e35-4e42-91f7-0c0a512549f4.yml b/yaml/a7628504-9e35-4e42-91f7-0c0a512549f4.yml index 366c0ed9f..77280adfa 100644 --- a/yaml/a7628504-9e35-4e42-91f7-0c0a512549f4.yml +++ b/yaml/a7628504-9e35-4e42-91f7-0c0a512549f4.yml @@ -613,4 +613,4 @@ KnownVulnerableSamples: MagicHeader: 50 45 0 0 CreationTimestamp: '2007-11-17 01:40:29' Tags: -- SANDRA +- SANDRA.sys diff --git a/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml b/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml index b204c6e06..1f7eb0527 100644 --- a/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml +++ b/yaml/bc5e020a-ecff-43c8-b57b-ee17b5f65b21.yaml @@ -846,9 +846,8 @@ KnownVulnerableSamples: Version: 1 MitreID: T1068 Resources: -- ' https://github.com/jbaines-r7/dellicious' -- ' https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/' -- https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ +- 'https://github.com/jbaines-r7/dellicious' +- 'https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/' Tags: - sandra.sys Verified: 'TRUE' diff --git a/yaml/ecabc507-2cc7-4011-89ab-7d9d659e6f88.yaml b/yaml/ecabc507-2cc7-4011-89ab-7d9d659e6f88.yaml index aa510254b..3c16ec522 100644 --- a/yaml/ecabc507-2cc7-4011-89ab-7d9d659e6f88.yaml +++ b/yaml/ecabc507-2cc7-4011-89ab-7d9d659e6f88.yaml @@ -256,5 +256,5 @@ MitreID: T1068 Resources: - https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c Tags: -- i8042prt +- VBoxMouseNT.sys Verified: 'TRUE'