-
Notifications
You must be signed in to change notification settings - Fork 126
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #184 from nasbench/reorder-fields
chore: reorder fields
- Loading branch information
Showing
425 changed files
with
335,024 additions
and
333,846 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
23,109 changes: 11,574 additions & 11,535 deletions
23,109
yaml/043773c5-120a-4c6b-8485-8f1f5c47fd3e.yaml
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
10,655 changes: 5,332 additions & 5,323 deletions
10,655
yaml/0567c6c4-282f-406f-9369-7f876b899c25.yaml
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,48 +1,48 @@ | ||
| Acknowledgement: | ||
| Handle: '' | ||
| Person: '' | ||
| Id: 058fb356-e0ff-4f5e-8293-319feb005db2 | ||
| Tags: | ||
| - bandai.sys | ||
| Verified: 'FALSE' | ||
| Author: Michael Haag | ||
| Category: vulnerable driver | ||
| Commands: | ||
| Command: sc.exe create bandai.sys binPath=C:\windows\temp\bandai.sys type=kernel | ||
| && sc.exe start bandai.sys | ||
| Description: '' | ||
| OperatingSystem: Windows 10 | ||
| Privileges: kernel | ||
| Usecase: Elevate privileges | ||
| Created: '2023-01-09' | ||
| Detection: [] | ||
| Id: 058fb356-e0ff-4f5e-8293-319feb005db2 | ||
| KnownVulnerableSamples: | ||
| - Company: '' | ||
| Date: '' | ||
| Description: '' | ||
| FileVersion: '' | ||
| Filename: bandai.sys | ||
| MachineType: '' | ||
| OriginalFilename: '' | ||
| Product: '' | ||
| ProductVersion: '' | ||
| Publisher: '' | ||
| SHA1: 0f780b7ada5dd8464d9f2cc537d973f5ac804e9c | ||
| Signature: [] | ||
| LoadsDespiteHVCI: 'FALSE' | ||
| - Company: '' | ||
| Date: '' | ||
| Description: '' | ||
| FileVersion: '' | ||
| Filename: bandai.sys | ||
| MachineType: '' | ||
| OriginalFilename: '' | ||
| Product: '' | ||
| ProductVersion: '' | ||
| Publisher: '' | ||
| SHA1: ea360a9f23bb7cf67f08b88e6a185a699f0c5410 | ||
| Signature: [] | ||
| LoadsDespiteHVCI: 'FALSE' | ||
| MitreID: T1068 | ||
| Category: vulnerable driver | ||
| Commands: | ||
| Command: sc.exe create bandai.sys binPath=C:\windows\temp\bandai.sys type=kernel | ||
| && sc.exe start bandai.sys | ||
| Description: '' | ||
| OperatingSystem: Windows 10 | ||
| Privileges: kernel | ||
| Usecase: Elevate privileges | ||
| Resources: | ||
| - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules | ||
| Tags: | ||
| - bandai.sys | ||
| Verified: 'FALSE' | ||
| Detection: [] | ||
| Acknowledgement: | ||
| Handle: '' | ||
| Person: '' | ||
| KnownVulnerableSamples: | ||
| - Company: '' | ||
| Date: '' | ||
| Description: '' | ||
| FileVersion: '' | ||
| Filename: bandai.sys | ||
| MachineType: '' | ||
| OriginalFilename: '' | ||
| Product: '' | ||
| ProductVersion: '' | ||
| Publisher: '' | ||
| SHA1: 0f780b7ada5dd8464d9f2cc537d973f5ac804e9c | ||
| Signature: [] | ||
| LoadsDespiteHVCI: 'FALSE' | ||
| - Company: '' | ||
| Date: '' | ||
| Description: '' | ||
| FileVersion: '' | ||
| Filename: bandai.sys | ||
| MachineType: '' | ||
| OriginalFilename: '' | ||
| Product: '' | ||
| ProductVersion: '' | ||
| Publisher: '' | ||
| SHA1: ea360a9f23bb7cf67f08b88e6a185a699f0c5410 | ||
| Signature: [] | ||
| LoadsDespiteHVCI: 'FALSE' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,134 +1,134 @@ | ||
| Acknowledgement: | ||
| Handle: '' | ||
| Person: '' | ||
| Id: 0590655c-baa2-481a-b909-463534bd7a5e | ||
| Tags: | ||
| - daxin_blank5.sys | ||
| Verified: 'TRUE' | ||
| Author: Michael Haag | ||
| Category: malicious | ||
| Commands: | ||
| Command: sc.exe create daxin_blank5.sys binPath=C:\windows\temp\daxin_blank5.sys type=kernel | ||
| && sc.exe start daxin_blank5.sys | ||
| Description: Driver used in the Daxin malware campaign. | ||
| OperatingSystem: Windows 10 | ||
| Privileges: kernel | ||
| Usecase: Elevate privileges | ||
| Created: '2023-02-28' | ||
| Detection: [] | ||
| Id: 0590655c-baa2-481a-b909-463534bd7a5e | ||
| KnownVulnerableSamples: | ||
| - Authentihash: | ||
| MD5: da0d70a9fd3a61a2802af4a07bed29d4 | ||
| SHA1: 99a969b2deded8b2d403268cd49139463c06b484 | ||
| SHA256: 954789c665098cf491a9bdf4e04886bad8992a393f91ccbca239bff40cc6dca6 | ||
| Company: '' | ||
| Copyright: '' | ||
| CreationTimestamp: '2008-07-17 19:29:43' | ||
| Date: '' | ||
| Description: '' | ||
| ExportedFunctions: '' | ||
| FileVersion: '' | ||
| Filename: daxin_blank5.sys | ||
| ImportedFunctions: | ||
| - MmUnlockPages | ||
| - KeInsertQueueApc | ||
| - strncmp | ||
| - KeInitializeApc | ||
| - MmProbeAndLockPages | ||
| - IoAllocateMdl | ||
| - _except_handler3 | ||
| - IoQueueWorkItem | ||
| - KeAttachProcess | ||
| - KeDetachProcess | ||
| - IoGetCurrentProcess | ||
| - IoFreeWorkItem | ||
| - RtlFreeUnicodeString | ||
| - ZwClose | ||
| - ZwWriteFile | ||
| - ZwCreateFile | ||
| - RtlAnsiStringToUnicodeString | ||
| - IofCompleteRequest | ||
| - ExFreePool | ||
| - ExAllocatePoolWithTag | ||
| - InterlockedDecrement | ||
| - MmMapLockedPagesSpecifyCache | ||
| - IoFreeMdl | ||
| - InterlockedExchange | ||
| - InterlockedIncrement | ||
| - swprintf | ||
| - RtlCopyUnicodeString | ||
| - ExfInterlockedInsertTailList | ||
| - wcsncmp | ||
| - IoCreateSymbolicLink | ||
| - RtlInitUnicodeString | ||
| - IoCreateDevice | ||
| - IoDeleteSymbolicLink | ||
| - KeInitializeSpinLock | ||
| - IoDeleteDevice | ||
| - _strnicmp | ||
| - ExfInterlockedRemoveHeadList | ||
| - IoAllocateWorkItem | ||
| - KfAcquireSpinLock | ||
| - KfReleaseSpinLock | ||
| - NdisAllocateMemory | ||
| - NdisFreePacket | ||
| - NdisAllocatePacket | ||
| - NdisResetEvent | ||
| - NdisCloseAdapter | ||
| - NdisAllocateBuffer | ||
| - NdisInitializeEvent | ||
| - NdisOpenAdapter | ||
| - NdisFreeMemory | ||
| - NdisQueryAdapterInstanceName | ||
| - NdisDeregisterProtocol | ||
| - NdisSetEvent | ||
| - NdisFreeBufferPool | ||
| - NdisAllocatePacketPool | ||
| - NdisFreePacketPool | ||
| - NdisRegisterProtocol | ||
| - NdisWaitEvent | ||
| - NdisAllocateBufferPool | ||
| - NdisCopyFromPacketToPacket | ||
| Imports: | ||
| - ntoskrnl.exe | ||
| - HAL.dll | ||
| - NDIS.SYS | ||
| InternalName: '' | ||
| MD5: f242cffd9926c0ccf94af3bf16b6e527 | ||
| MachineType: I386 | ||
| MagicHeader: 50 45 0 0 | ||
| OriginalFilename: '' | ||
| Product: '' | ||
| ProductVersion: '' | ||
| Publisher: n/a | ||
| RichPEHeaderHash: | ||
| MD5: 6c5319c52cabf708cac1121ed7df420b | ||
| SHA1: 4d9f5c969d83ff20b202263d6d4a38aed8deb9f3 | ||
| SHA256: cb3c84a0789027aef0c0aef452da254f600b2f17ed53054a5a68765f708302d4 | ||
| SHA1: 53f776d9a183c42b93960b270dddeafba74eb3fb | ||
| SHA256: 9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51 | ||
| Sections: | ||
| .text: | ||
| Entropy: 6.333612663607225 | ||
| Virtual Size: '0x3146' | ||
| .rdata: | ||
| Entropy: 3.9544250034604453 | ||
| Virtual Size: '0x104' | ||
| .data: | ||
| Entropy: 2.1263450977868867 | ||
| Virtual Size: '0x4ec9c' | ||
| INIT: | ||
| Entropy: 5.2278974725553775 | ||
| Virtual Size: '0x62e' | ||
| .reloc: | ||
| Entropy: 4.026524390647434 | ||
| Virtual Size: '0x724' | ||
| Signature: Unsigned | ||
| Signatures: {} | ||
| Imphash: a09170ef09c55cdca9472c02cb1f2647 | ||
| LoadsDespiteHVCI: 'TRUE' | ||
| MitreID: T1068 | ||
| Category: malicious | ||
| Commands: | ||
| Command: sc.exe create daxin_blank5.sys binPath=C:\windows\temp\daxin_blank5.sys type=kernel | ||
| && sc.exe start daxin_blank5.sys | ||
| Description: Driver used in the Daxin malware campaign. | ||
| OperatingSystem: Windows 10 | ||
| Privileges: kernel | ||
| Usecase: Elevate privileges | ||
| Resources: | ||
| - https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48 | ||
| - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage | ||
| - '' | ||
| Tags: | ||
| - daxin_blank5.sys | ||
| Verified: 'TRUE' | ||
| Detection: [] | ||
| Acknowledgement: | ||
| Handle: '' | ||
| Person: '' | ||
| KnownVulnerableSamples: | ||
| - Authentihash: | ||
| MD5: da0d70a9fd3a61a2802af4a07bed29d4 | ||
| SHA1: 99a969b2deded8b2d403268cd49139463c06b484 | ||
| SHA256: 954789c665098cf491a9bdf4e04886bad8992a393f91ccbca239bff40cc6dca6 | ||
| Company: '' | ||
| Copyright: '' | ||
| CreationTimestamp: '2008-07-17 19:29:43' | ||
| Date: '' | ||
| Description: '' | ||
| ExportedFunctions: '' | ||
| FileVersion: '' | ||
| Filename: daxin_blank5.sys | ||
| ImportedFunctions: | ||
| - MmUnlockPages | ||
| - KeInsertQueueApc | ||
| - strncmp | ||
| - KeInitializeApc | ||
| - MmProbeAndLockPages | ||
| - IoAllocateMdl | ||
| - _except_handler3 | ||
| - IoQueueWorkItem | ||
| - KeAttachProcess | ||
| - KeDetachProcess | ||
| - IoGetCurrentProcess | ||
| - IoFreeWorkItem | ||
| - RtlFreeUnicodeString | ||
| - ZwClose | ||
| - ZwWriteFile | ||
| - ZwCreateFile | ||
| - RtlAnsiStringToUnicodeString | ||
| - IofCompleteRequest | ||
| - ExFreePool | ||
| - ExAllocatePoolWithTag | ||
| - InterlockedDecrement | ||
| - MmMapLockedPagesSpecifyCache | ||
| - IoFreeMdl | ||
| - InterlockedExchange | ||
| - InterlockedIncrement | ||
| - swprintf | ||
| - RtlCopyUnicodeString | ||
| - ExfInterlockedInsertTailList | ||
| - wcsncmp | ||
| - IoCreateSymbolicLink | ||
| - RtlInitUnicodeString | ||
| - IoCreateDevice | ||
| - IoDeleteSymbolicLink | ||
| - KeInitializeSpinLock | ||
| - IoDeleteDevice | ||
| - _strnicmp | ||
| - ExfInterlockedRemoveHeadList | ||
| - IoAllocateWorkItem | ||
| - KfAcquireSpinLock | ||
| - KfReleaseSpinLock | ||
| - NdisAllocateMemory | ||
| - NdisFreePacket | ||
| - NdisAllocatePacket | ||
| - NdisResetEvent | ||
| - NdisCloseAdapter | ||
| - NdisAllocateBuffer | ||
| - NdisInitializeEvent | ||
| - NdisOpenAdapter | ||
| - NdisFreeMemory | ||
| - NdisQueryAdapterInstanceName | ||
| - NdisDeregisterProtocol | ||
| - NdisSetEvent | ||
| - NdisFreeBufferPool | ||
| - NdisAllocatePacketPool | ||
| - NdisFreePacketPool | ||
| - NdisRegisterProtocol | ||
| - NdisWaitEvent | ||
| - NdisAllocateBufferPool | ||
| - NdisCopyFromPacketToPacket | ||
| Imports: | ||
| - ntoskrnl.exe | ||
| - HAL.dll | ||
| - NDIS.SYS | ||
| InternalName: '' | ||
| MD5: f242cffd9926c0ccf94af3bf16b6e527 | ||
| MachineType: I386 | ||
| MagicHeader: 50 45 0 0 | ||
| OriginalFilename: '' | ||
| Product: '' | ||
| ProductVersion: '' | ||
| Publisher: n/a | ||
| RichPEHeaderHash: | ||
| MD5: 6c5319c52cabf708cac1121ed7df420b | ||
| SHA1: 4d9f5c969d83ff20b202263d6d4a38aed8deb9f3 | ||
| SHA256: cb3c84a0789027aef0c0aef452da254f600b2f17ed53054a5a68765f708302d4 | ||
| SHA1: 53f776d9a183c42b93960b270dddeafba74eb3fb | ||
| SHA256: 9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51 | ||
| Sections: | ||
| .text: | ||
| Entropy: 6.333612663607225 | ||
| Virtual Size: '0x3146' | ||
| .rdata: | ||
| Entropy: 3.9544250034604453 | ||
| Virtual Size: '0x104' | ||
| .data: | ||
| Entropy: 2.1263450977868867 | ||
| Virtual Size: '0x4ec9c' | ||
| INIT: | ||
| Entropy: 5.2278974725553775 | ||
| Virtual Size: '0x62e' | ||
| .reloc: | ||
| Entropy: 4.026524390647434 | ||
| Virtual Size: '0x724' | ||
| Signature: Unsigned | ||
| Signatures: {} | ||
| Imphash: a09170ef09c55cdca9472c02cb1f2647 | ||
| LoadsDespiteHVCI: 'TRUE' |
Oops, something went wrong.