bffcac17-f20c-43cc-baf0-93fd20bc1ed5

unknown.sys :inline

Description

unknown.sys is an unattributed signed kernel driver documented in public UnknownKiller / BlackSnufkin BYOVD research. The public PoCs identify the driver as exposing a process-kill primitive suitable for BYOVD process termination research.

  • UUID: bffcac17-f20c-43cc-baf0-93fd20bc1ed5
  • Created: 2026-06-16
  • Author: Michael Haag
  • Acknowledgement: BlackSnufkin / lukmannurhikma | [@BlackSnufkin / @lukmannurhikma](https://twitter.com/@BlackSnufkin / @lukmannurhikma)

Download

This download link contains the vulnerable driver!

Block unknown.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create unknown binPath=C:\windows\temp\unknown.sys type=kernel && sc.exe start unknown
Use CasePrivilegesOperating System
Terminate processes from kernel mode through an unattributed vulnerable driver.kernelWindows 10, Windows 11

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/BlackSnufkin/BYOVD/tree/main/UnknownKiller
  • https://github.com/lukmannurhikma/UnknownKiller

    • Known Vulnerable Samples

    PropertyValue
    Filenameunknown.sys
    Creation Timestamp2024-11-29 17:15:50
    MD54e5136230ec590ce6ef038aac6e72cb2
    SHA1ba914fe77b177b45799403b16dd14765c510a074
    SHA25697bd65e98cdc4e93d49edd4ea905d43a61244df0fd3323e6649330de3b1be091
    Authentihash MD5793ea731f474590d5542d0df0f1db133
    Authentihash SHA1ed88d7f2d05454545272e80a8c6450783a4e6083
    Authentihash SHA2560d7099bd4a0714a354cfe36f312d907843bcaaa2a1e3dcf269637f58920b1e47
    RichPEHeaderHash MD57aeb0c4cf7961d5e9a110c152b975dde
    RichPEHeaderHash SHA12f65984d2f1c266865faa954b4becd6dc0aefc6f
    RichPEHeaderHash SHA256c0e40a6d627e4ab5e7421b2a28abb50b2d1f5b51a0e587fe49487f6191b39983

    Download

    Certificates

    Expand
    Certificate 77f685fe096792d8605e243ecdcc9f63eaf940b3
    FieldValue
    ToBeSigned (TBS) MD558c1bd6db58833b50407d01d1bd174e4
    ToBeSigned (TBS) SHA16958f6814b8105d5fd3894b61dec15d1b5a7caf7
    ToBeSigned (TBS) SHA25661970b3445e9d357c3270a4c6f976bc7d074e47462e97111a8a0d199b89b313c
    SubjectC=CN, O=Microsoft Windows Hardware Compatibility Publisher, CN=Microsoft Windows Hardware Compatibility Publisher
    ValidFrom2025-09-01 16:20:58
    ValidTo2026-09-01 16:20:58
    Signature3046022100c43caac50d639f514a37d188330d15d91cbf2021c4d9b48e0e51fbe37180346e022100a13554245e188623b6ed5e24bd84488341f06f1c432159cdaf51176c91caeb57
    SignatureAlgorithmOID1.2.840.10045.4.3.2
    IsCertificateAuthorityFalse
    SerialNumber77f685fe096792d8605e243ecdcc9f63eaf940b3
    Version3

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • RtlInitUnicodeString
    • RtlAnsiStringToUnicodeString
    • RtlFreeUnicodeString
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • __chkstk
    • RtlEqualUnicodeString
    • ExAllocatePoolWithTagPriority
    • ExFreePoolWithTag
    • MmProbeAndLockPages
    • MmUnlockPages
    • MmMapLockedPagesSpecifyCache
    • MmUnmapLockedPages
    • IoAllocateMdl
    • IoFreeMdl
    • IoGetCurrentProcess
    • ObReferenceObjectByHandle
    • ObfDereferenceObject
    • ObRegisterCallbacks
    • ObUnRegisterCallbacks
    • ZwClose
    • MmIsAddressValid
    • PsGetProcessId
    • IoCreateFileSpecifyDeviceObjectHint
    • ZwTerminateProcess
    • KeStackAttachProcess
    • KeUnstackDetachProcess
    • PsLookupProcessByProcessId
    • ZwDeleteFile
    • ZwAllocateVirtualMemory
    • ZwFreeVirtualMemory
    • ZwWaitForSingleObject
    • PsGetProcessWow64Process
    • PsGetProcessPeb
    • MmCopyVirtualMemory
    • ZwProtectVirtualMemory
    • RtlCreateUserThread
    • ZwQuerySystemInformation
    • __C_specific_handler
    • PsProcessType

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Intermediate",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": false,
      "SerialNumber": "77f685fe096792d8605e243ecdcc9f63eaf940b3",
      "Signature": "3046022100c43caac50d639f514a37d188330d15d91cbf2021c4d9b48e0e51fbe37180346e022100a13554245e188623b6ed5e24bd84488341f06f1c432159cdaf51176c91caeb57",
      "SignatureAlgorithmOID": "1.2.840.10045.4.3.2",
      "Subject": "C=CN, O=Microsoft Windows Hardware Compatibility Publisher, CN=Microsoft Windows Hardware Compatibility Publisher",
      "TBS": {
        "MD5": "58c1bd6db58833b50407d01d1bd174e4",
        "SHA1": "6958f6814b8105d5fd3894b61dec15d1b5a7caf7",
        "SHA256": "61970b3445e9d357c3270a4c6f976bc7d074e47462e97111a8a0d199b89b313c",
        "SHA384": "948c9bf666bfaa1208a9585c70b89210a0bdf5fc1c9120b2a9940f776a404323ed12d7b5045609ded0939b5b532d6fed"
      },
      "ValidFrom": "2025-09-01 16:20:58",
      "ValidTo": "2026-09-01 16:20:58",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=CN, O=Microsoft Windows Third Party Component CA, CN=Microsoft Windows Third Party Component CA",
      "SerialNumber": "77f685fe096792d8605e243ecdcc9f63eaf940b3",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-06-16