Description Safetica STProcessMonitor / ProcessMonitorDriver.sys exposes process-termination functionality through vulnerable IOCTL paths documented in public BYOVD research. The tracked samples include the 11.26.18.0 build and the legacy 11.11.4.0 build; public research notes that affected versions can be abused to terminate endpoint security processes from kernel context.
UUID : 0712c54c-69fd-41f2-950a-da678ac51246Created : 2026-03-20Author : Michael HaagDownload
This download link contains the vulnerable driver!
Block STProcessMonitor.sys across your endpoints Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.
Start Blocking for Free Commands sc.exe create STProcessMonitor binPath=C:\windows\temp\STProcessMonitor.sys type=kernel && sc.exe start STProcessMonitor
Use Case Privileges Operating System Disable security tools kernel Windows 10
Detections Sigma 🛡️ Expand Names
detects loading using name only
Hashes
detects loading using hashes only
Resources https://www.cve.org/CVERecord?id=CVE-2025-70795 https://github.com/magicsword-io/LOLDrivers/issues/268 https://github.com/KOSEC-LLC/BYOVD-Research/tree/main/Safetica https://github.com/BlackSnufkin/BYOVD/tree/main/STProcessMonitor-Killer Known Vulnerable Samples Download
Certificates Expand Certificate 330000013c4a61fb3578d2b6dd00000000013c Field Value ToBeSigned (TBS) MD5 93354b540685ae615b51e692ea0895de ToBeSigned (TBS) SHA1 b38cd5d491c85bd55e9b111e98430171a01e9515 ToBeSigned (TBS) SHA256 037c041a283132dc57d29bc339b4d0d006787e32ac0a60afd7206c41c9fbf61f Subject C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher ValidFrom 2025-11-13 19:59:40 ValidTo 2026-11-10 19:59:40 Signature 86e91c9dd77bcbe24e9c811c4ec9c47116d9d554243f04666bef14828edbfeb665280fa10b643a59d05c4db8b5f2bae0657af9a75457236e455f956ed7ba65f7e8019355d00e322f681ab15f14718b34bff1e50d8cde1217dc158c31a875b17fa45f015b4b2a30c471d43345257c729d83c2287716b3d19c177ed341da95687f8af92cfebc42e1e4439eb4304762e17feb85a09316afe8153e4783a98153d91249d29da0bca831ea6ccd93bace88fc284e82987df65bcd8ab0263a2da5e178e710c26e8abec12fe398782d1f1bc669ec9c5cbf3010f8e2600133a59fb8269daba61e5b2facee4f96ba19f9cfaef3fdb21e933a65c3245f6de70cb08f28f2c818 SignatureAlgorithmOID 1.2.840.113549.1.1.11 IsCertificateAuthority False SerialNumber 330000013c4a61fb3578d2b6dd00000000013c Version 3
Certificate 610baac1000000000009 Field Value ToBeSigned (TBS) MD5 a569061297e8e824767dbc3184a69bea ToBeSigned (TBS) SHA1 adbb26a587a8f44b4fccaecb306f980d1c55a150 ToBeSigned (TBS) SHA256 cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 Subject C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012 ValidFrom 2012-04-18 23:48:38 ValidTo 2027-04-18 23:58:38 Signature 5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f SignatureAlgorithmOID 1.2.840.113549.1.1.11 IsCertificateAuthority True SerialNumber 610baac1000000000009 Version 3
Imports Expand Imported Functions Expand FltDeletePushLock FltAcquirePushLockExclusiveEx FltAcquirePushLockSharedEx FltReleasePushLockEx FltInitializePushLock DbgPrintEx KeGetCurrentIrql ExFreePoolWithTag ObfReferenceObject ObfDereferenceObject PsGetCurrentProcessId PsGetCurrentThreadId RtlInitUnicodeString RtlCreateSecurityDescriptor RtlSetDaclSecurityDescriptor RtlGetVersion KeSetEvent KeEnterCriticalRegion KeLeaveCriticalRegion ExAllocatePoolWithTag IofCompleteRequest IoCreateDevice IoCreateSymbolicLink IoDeleteDevice IoDeleteSymbolicLink ObReferenceObjectByHandle ZwClose PsSetCreateProcessNotifyRoutineEx ZwTerminateProcess ZwOpenProcess RtlCreateAcl RtlAddAccessAllowedAce ObOpenObjectByPointer ZwSetSecurityObject ExEventObjectType SeExports ZwSetInformationFile KeLowerIrql KfRaiseIrql KeInitializeDpc KeInsertQueueDpc KeReleaseSemaphore KeDelayExecutionThread KeAcquireSpinLockRaiseToDpc KeReleaseSpinLock ExQueueWorkItem ExReleaseResourceLite ZwCreateFile ZwWriteFile ExAcquireResourceSharedLite ZwOpenFile _vsnwprintf Exported Functions Expand Sections Expand .text .rdata .data .pdata .edata INIT .rsrc .reloc Signature Expand {
"Certificates": [
{
"CertificateType": "Leaf (Code Signing)",
"IsCA": false,
"IsCertificateAuthority": false,
"IsCodeSigning": true,
"SerialNumber": "330000013c4a61fb3578d2b6dd00000000013c",
"Signature": "86e91c9dd77bcbe24e9c811c4ec9c47116d9d554243f04666bef14828edbfeb665280fa10b643a59d05c4db8b5f2bae0657af9a75457236e455f956ed7ba65f7e8019355d00e322f681ab15f14718b34bff1e50d8cde1217dc158c31a875b17fa45f015b4b2a30c471d43345257c729d83c2287716b3d19c177ed341da95687f8af92cfebc42e1e4439eb4304762e17feb85a09316afe8153e4783a98153d91249d29da0bca831ea6ccd93bace88fc284e82987df65bcd8ab0263a2da5e178e710c26e8abec12fe398782d1f1bc669ec9c5cbf3010f8e2600133a59fb8269daba61e5b2facee4f96ba19f9cfaef3fdb21e933a65c3245f6de70cb08f28f2c818",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
"TBS": {
"MD5": "93354b540685ae615b51e692ea0895de",
"SHA1": "b38cd5d491c85bd55e9b111e98430171a01e9515",
"SHA256": "037c041a283132dc57d29bc339b4d0d006787e32ac0a60afd7206c41c9fbf61f",
"SHA384": "bbef5ad51ba2a76ba3f0e39459837c9533a56420db0da55814511346155922c98ae905d6541df5a79895ce1a51d53491"
},
"ValidFrom": "2025-11-13 19:59:40",
"ValidTo": "2026-11-10 19:59:40",
"Version": 3
},
{
"CertificateType": "CA",
"IsCA": true,
"IsCertificateAuthority": true,
"IsCodeSigning": false,
"SerialNumber": "610baac1000000000009",
"Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012",
"TBS": {
"MD5": "a569061297e8e824767dbc3184a69bea",
"SHA1": "adbb26a587a8f44b4fccaecb306f980d1c55a150",
"SHA256": "cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46",
"SHA384": "e947cac936803f5683196e4ff1b259096073395d0b908522ddce90d57597c9f7b57f7ddcdbe021ba863d843c340da8ba"
},
"ValidFrom": "2012-04-18 23:48:38",
"ValidTo": "2027-04-18 23:58:38",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012",
"SerialNumber": "330000013c4a61fb3578d2b6dd00000000013c",
"Version": 1
}
],
"SignerInfo": ""
}
Download
Certificates Expand Certificate 3300000125f31cb555767340d6000000000125 Field Value ToBeSigned (TBS) MD5 581df130bb04487a6d19bc11b5098119 ToBeSigned (TBS) SHA1 900451bd61a1199f8b4994f451af8201a1f40c7b ToBeSigned (TBS) SHA256 82efe580f6ea4f2a1f39e1f0eaf14983218c1eccbb5d7c80b421501bd4a05a90 Subject C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher ValidFrom 2025-02-20 20:08:09 ValidTo 2026-02-18 20:08:09 Signature 65d17fbf1de2b60cfc46b9d9945a9c84c28a9bac84abe3f49280bca6ff239461c1ba338bfc578d94c884e783881036e134bfd12b52e916281b220f6d34b8ca017fd2880da3b76f90303f497eb18ceebd711083097fee149c5ed15e3b7b4d20ecccb93798c03c462f0039f11b260167512ffd103e20b7b306603f07c1f68940a7074b648a650271c2cbf1dda3e5ba29028c027373faaf255d2af35a86fe539dc5ab7134a4994d5994b4ba7f189bd428778554f9e6402ba8c2cc832bc9fc64d5f6058c2fb6c28ce11798762addd0d567d724e7727b9c3253ea7be34f357ff32c8bb91e8eb198d858118254ceed218f47e94482e8a15f7e095f98c36986f7fa06eb SignatureAlgorithmOID 1.2.840.113549.1.1.11 IsCertificateAuthority False SerialNumber 3300000125f31cb555767340d6000000000125 Version 3
Certificate 610baac1000000000009 Field Value ToBeSigned (TBS) MD5 a569061297e8e824767dbc3184a69bea ToBeSigned (TBS) SHA1 adbb26a587a8f44b4fccaecb306f980d1c55a150 ToBeSigned (TBS) SHA256 cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 Subject C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012 ValidFrom 2012-04-18 23:48:38 ValidTo 2027-04-18 23:58:38 Signature 5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f SignatureAlgorithmOID 1.2.840.113549.1.1.11 IsCertificateAuthority True SerialNumber 610baac1000000000009 Version 3
Imports Expand Imported Functions Expand FltDeletePushLock FltAcquirePushLockExclusiveEx FltAcquirePushLockSharedEx FltReleasePushLockEx FltInitializePushLock DbgPrintEx KeGetCurrentIrql ExFreePoolWithTag ObfReferenceObject ObfDereferenceObject PsGetCurrentProcessId PsGetCurrentThreadId RtlInitUnicodeString RtlGetVersion KeSetEvent KeEnterCriticalRegion KeLeaveCriticalRegion ExAllocatePoolWithTag IofCompleteRequest IoCreateDevice IoCreateSymbolicLink IoDeleteDevice IoDeleteSymbolicLink ObReferenceObjectByHandle ZwClose PsSetCreateProcessNotifyRoutineEx ZwTerminateProcess ZwOpenProcess ExEventObjectType ZwSetInformationFile KeLowerIrql KfRaiseIrql KeInitializeDpc KeInsertQueueDpc KeReleaseSemaphore KeDelayExecutionThread KeAcquireSpinLockRaiseToDpc KeReleaseSpinLock ExQueueWorkItem ExReleaseResourceLite ZwCreateFile ZwWriteFile ExAcquireResourceSharedLite ZwOpenFile _vsnwprintf Exported Functions Expand Sections Expand .text .rdata .data .pdata .edata INIT .rsrc .reloc Signature Expand {
"Certificates": [
{
"CertificateType": "Leaf (Code Signing)",
"IsCA": false,
"IsCertificateAuthority": false,
"IsCodeSigning": true,
"SerialNumber": "330000013c4a61fb3578d2b6dd00000000013c",
"Signature": "86e91c9dd77bcbe24e9c811c4ec9c47116d9d554243f04666bef14828edbfeb665280fa10b643a59d05c4db8b5f2bae0657af9a75457236e455f956ed7ba65f7e8019355d00e322f681ab15f14718b34bff1e50d8cde1217dc158c31a875b17fa45f015b4b2a30c471d43345257c729d83c2287716b3d19c177ed341da95687f8af92cfebc42e1e4439eb4304762e17feb85a09316afe8153e4783a98153d91249d29da0bca831ea6ccd93bace88fc284e82987df65bcd8ab0263a2da5e178e710c26e8abec12fe398782d1f1bc669ec9c5cbf3010f8e2600133a59fb8269daba61e5b2facee4f96ba19f9cfaef3fdb21e933a65c3245f6de70cb08f28f2c818",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher",
"TBS": {
"MD5": "93354b540685ae615b51e692ea0895de",
"SHA1": "b38cd5d491c85bd55e9b111e98430171a01e9515",
"SHA256": "037c041a283132dc57d29bc339b4d0d006787e32ac0a60afd7206c41c9fbf61f",
"SHA384": "bbef5ad51ba2a76ba3f0e39459837c9533a56420db0da55814511346155922c98ae905d6541df5a79895ce1a51d53491"
},
"ValidFrom": "2025-11-13 19:59:40",
"ValidTo": "2026-11-10 19:59:40",
"Version": 3
},
{
"CertificateType": "CA",
"IsCA": true,
"IsCertificateAuthority": true,
"IsCodeSigning": false,
"SerialNumber": "610baac1000000000009",
"Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012",
"TBS": {
"MD5": "a569061297e8e824767dbc3184a69bea",
"SHA1": "adbb26a587a8f44b4fccaecb306f980d1c55a150",
"SHA256": "cec1afd0e310c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46",
"SHA384": "e947cac936803f5683196e4ff1b259096073395d0b908522ddce90d57597c9f7b57f7ddcdbe021ba863d843c340da8ba"
},
"ValidFrom": "2012-04-18 23:48:38",
"ValidTo": "2027-04-18 23:58:38",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012",
"SerialNumber": "330000013c4a61fb3578d2b6dd00000000013c",
"Version": 1
}
],
"SignerInfo": ""
}
source
last_updated: 2026-06-26