8d14d798-338f-471e-bacb-6d9371c0f529

dbutil.sys

We were not able to verify the hash of this driver successfully, it has not been confirmed.

Description

dbutil.sys is a vulnerable driver and more information will be added as found.

UUID: 8d14d798-338f-471e-bacb-6d9371c0f529
Created: 2023-01-09
Author: Michael Haag
Acknowledgement: |

Commands

sc.exe create dbutil.sys binPath=C:\windows\temp\dbutil.sys type=kernel &amp;&amp; sc.exe start dbutil.sys

Use Case	Privileges	Operating System
Elevate privileges	kernel	Windows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules

Known Vulnerable Samples

Property	Value
Filename	dbutil.sys
Creation Timestamp
MD5
SHA1	485c0b9710a196c7177b99ee95e5ddb35b26ddd1
SHA256

Imports

Expand

Imported Functions

Expand

Exported Functions

Expand

Sections

Expand

Signature

Expand

Property	Value
Filename	dbutil.sys
Creation Timestamp
MD5
SHA1	50e2bc41f0186fdce970b80e2a2cb296353af586
SHA256

Imports

Expand

Imported Functions

Expand

Exported Functions

Expand

Sections

Expand

Signature

Expand

Property	Value
Filename	dbutil.sys
Creation Timestamp
MD5
SHA1	e3c1dd569aa4758552566b0213ee4d1fe6382c4b
SHA256

Imports

Expand

Imported Functions

Expand

Exported Functions

Expand

Sections

Expand

Signature

Expand

Property	Value
Filename	dbutil.sys
Creation Timestamp
MD5
SHA1	e09b5e80805b8fe853ea27d8773e31bff262e3f7
SHA256

Imports

Expand

Imported Functions

Expand

Exported Functions

Expand

Sections

Expand

Signature

Expand

source

last_updated: 2024-04-09