f16f82de-1ad0-47d8-a869-2c10ed25d9f1

FH-EtherCAT_DIO.sys :inline

Description

The Carbon Black Threat Analysis Unit (TAU) discovered 34 unique vulnerable drivers (237 file hashes) accepting firmware access. Six allow kernel memory access. All give full control of the devices to non-admin users. By exploiting the vulnerable drivers, an attacker without the system privilege may erase/alter firmware, and/or elevate privileges. As of the time of writing in October 2023, the filenames of the vulnerable drivers have not been made public until now.

  • UUID: f16f82de-1ad0-47d8-a869-2c10ed25d9f1
  • Created: 2023-11-02
  • Author: Takahiro Haruyama
  • Acknowledgement: |

Download

This download link contains the vulnerable driver!

Commands

sc.exe create FH-EtherCAT_DIOsys binPath= C:\windows\temp\FH-EtherCAT_DIOsys.sys type=kernel && sc.exe start FH-EtherCAT_DIOsys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html

  • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2018-05-28 23:01:50
    MD5eb0a8eeb444033ebf9b4b304f114f2c8
    SHA1b8d19cd28788ce4570623a5433b091a5fbd4c26d
    SHA2568001d7161d662a6f4afb4d17823144e042fd24696d8904380d48065209f28258
    Authentihash MD53fac9a0418f2319fc1b9ddc3fddde14f
    Authentihash SHA1f003d1d1abbb02b0b338aefdca8ea31b92e6b616
    Authentihash SHA256039f442ffbda7decaaf1e367db6fc6f28cc73d549527ef5bedf2be8badedbfd7
    RichPEHeaderHash MD501803160bf42f5cb8bc329909f9a7c1a
    RichPEHeaderHash SHA18c7dc2739a76bfa9fc36876dbc2cd5302cdb36f6
    RichPEHeaderHash SHA256ac2d1fd8107533a6331706b2967c0b0a4578fc69906cf04ad78519dbfb770417

    Download

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.DLL

    Imported Functions

    Expand
    • IoDetachDevice
    • KeInitializeDpc
    • KeInitializeTimer
    • IoRegisterDeviceInterface
    • KeInitializeEvent
    • IoAttachDeviceToDeviceStack
    • IoCreateDevice
    • IoGetDeviceProperty
    • IoDeleteDevice
    • memset
    • IofCallDriver
    • MmUnmapIoSpace
    • IoDisconnectInterrupt
    • KeCancelTimer
    • KeSetTimer
    • IoSetDeviceInterfaceState
    • IoConnectInterrupt
    • DbgPrint
    • IofCompleteRequest
    • MmMapIoSpace
    • RtlAssert
    • KeDelayExecutionThread
    • ObReferenceObjectByHandle
    • ExEventObjectType
    • ObfDereferenceObject
    • KeWaitForSingleObject
    • KeSetEvent
    • KeInsertQueueDpc
    • WRITE_REGISTER_UCHAR
    • WRITE_REGISTER_USHORT
    • WRITE_REGISTER_ULONG
    • READ_REGISTER_UCHAR
    • READ_REGISTER_USHORT
    • READ_REGISTER_ULONG
    • ExAllocatePoolWithTag
    • RtlCopyUnicodeString
    • KeTickCount
    • ExFreePoolWithTag
    • KeStallExecutionProcessor
    • KfAcquireSpinLock
    • KfReleaseSpinLock
    • KeGetCurrentIrql

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • PAGE
    • INIT
    • .reloc

    Signature

    Expand

    PropertyValue
    Filename
    Creation Timestamp2018-05-28 23:01:57
    MD55c55fcfe39336de769bfa258ab4c901d
    SHA1170a50139f95ad1ec94d51fdd94c1966dbed0e47
    SHA256ae71f40f06edda422efcd16f3a48f5b795b34dd6d9bb19c9c8f2e083f0850eb7
    Authentihash MD548d0dc0f0c7f19a4ad4f923af1b971fd
    Authentihash SHA1364f53ed52e121182be0e0a21c17c2254894713d
    Authentihash SHA2565e7b92e6a1f656a70ed56ef2a190fce6bb3f12063b891fbfd722ca4e951de15f
    RichPEHeaderHash MD52de13e46d55279d7b416782d6bbc3090
    RichPEHeaderHash SHA11169c889d4f8d66a4ac942e365da0374b00c331e
    RichPEHeaderHash SHA2560d1ae3144674ac08c57920a12a0b7713a1e74aaa33b0122cf6052746d83767e4

    Download

    Certificates

    Expand
    Certificate 0a60585e11d143fc61db92bd9370b833
    FieldValue
    ToBeSigned (TBS) MD50d0c0b9219f7ce087c4a9c1e756b88c8
    ToBeSigned (TBS) SHA12841dd43b7491ce68f777036ff910b70c57efd0f
    ToBeSigned (TBS) SHA25611fb5faf42812f4c5781a03d9fbb7c8ed7b7786d44cd3bc986ed07d4447a38d3
    Subject??=JP, ??=Private Organization, serialNumber=1300,01,016824, C=JP, ST=Shiga, L=Kusatsu,city, O=OMRON Corporation, CN=OMRON Corporation
    ValidFrom2017-07-31 00:00:00
    ValidTo2018-07-31 23:59:59
    Signature8362ee2339efc4b452de6019f266520f926ffa5ee7db3ec05efb97c42e06be69f1b4834f69e0da8ddc09af08fb9efc56d43007561684066dd7537eefedfc200985c3f3ee0bf7969e755aef4af7f66874c5ac9d791a1168fb2e34076e506bf44e108a69329037284af5a68319423e34164ffafd9688c1fb58e38ea0c6156af531edc3ae2e6de17b5b63076e4362d606882fa9acb385cc9c21af896d49f0bb27aff846dc4a9ddd9b9de1b5eabfb42a3577813f2b3e3af20cd7980ee95bbacd92a3d8aa6a55f1e2357ba826af83aea21df5d60a9225de041acd03da2ae0b46cdbedbaa8fbc400bdabfe687ddd7866fc084b2f95b44de7a87562824de9f028b6ae45
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber0a60585e11d143fc61db92bd9370b833
    Version3
    Certificate 191a32cb759c97b8cfac118dd5127f49
    FieldValue
    ToBeSigned (TBS) MD5788b61bd26da89253179e3de2cdb527f
    ToBeSigned (TBS) SHA17d06f16e7bf21bce4f71c2cb7a3e74351451bf69
    ToBeSigned (TBS) SHA256b3c925b4048c3f7c444d248a2b101186b57cba39596eb5dce0e17a4ee4b32f19
    SubjectC=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2
    ValidFrom2014-03-04 00:00:00
    ValidTo2024-03-03 23:59:59
    Signature3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityTrue
    SerialNumber191a32cb759c97b8cfac118dd5127f49
    Version3
    Certificate 611993e400000000001c
    FieldValue
    ToBeSigned (TBS) MD578a717e082dcc1cda3458d917e677d14
    ToBeSigned (TBS) SHA14a872e0e51f9b304469cd1dedb496ee9b8b983a4
    ToBeSigned (TBS) SHA256317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8
    SubjectC=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5
    ValidFrom2011-02-22 19:25:17
    ValidTo2021-02-22 19:35:17
    Signature812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611993e400000000001c
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • HAL.DLL

    Imported Functions

    Expand
    • ExFreePoolWithTag
    • IoRegisterDeviceInterface
    • IoSetDeviceInterfaceState
    • IoDeleteDevice
    • KeSetEvent
    • KeInitializeEvent
    • KeInitializeDpc
    • KeReleaseSpinLock
    • IoDetachDevice
    • MmUnmapIoSpace
    • KeInitializeTimer
    • KeDelayExecutionThread
    • ExEventObjectType
    • MmMapIoSpace
    • KeInsertQueueDpc
    • IofCompleteRequest
    • IoConnectInterrupt
    • ObReferenceObjectByHandle
    • KeWaitForSingleObject
    • IoAttachDeviceToDeviceStack
    • KeSetTimer
    • RtlCopyUnicodeString
    • ObfDereferenceObject
    • IoCreateDevice
    • IoDisconnectInterrupt
    • RtlAssert
    • KeCancelTimer
    • IoGetDeviceProperty
    • DbgPrint
    • IofCallDriver
    • KeAcquireSpinLockRaiseToDpc
    • KeBugCheckEx
    • ExAllocatePoolWithTag
    • KeStallExecutionProcessor

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT

    Signature

    Expand

    source

    last_updated: 2023-12-22