From f1397d60429a70fc17e269ce4142d42b15d8a703 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Thu, 20 Jun 2024 13:30:09 -0600 Subject: [PATCH 1/2] Adding Chaos-RootKit Thank you @goosvorbook #171 --- .DS_Store | Bin 6148 -> 6148 bytes drivers/443e8d915c04c370b7c31bb5f11ebab7.bin | 3 + .../7cee2ce8-7881-4a9a-bb18-61587c95f4a2.yaml | 4 +- .../855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml | 18 +-- .../8ecc8439-0554-40d0-9130-c02941deadbe.yaml | 30 ++-- .../de62baae-872d-4e9a-b6d9-b0ac99854c66.yaml | 134 ++++++++++++++++++ .../e0e93453-1007-4799-ad02-9b461b7e0398.yaml | 1 - .../ff77b58d-e143-4f61-92de-c0d9bc0af7d5.yaml | 27 +++- 8 files changed, 185 insertions(+), 32 deletions(-) create mode 100644 drivers/443e8d915c04c370b7c31bb5f11ebab7.bin create mode 100644 yaml/de62baae-872d-4e9a-b6d9-b0ac99854c66.yaml diff --git a/.DS_Store b/.DS_Store index 6b63138314687a0701fd30d51c3a12ae645d9fdf..a0c3c4940877d3a62ebc4b92b9d3258278a9ae10 100644 GIT binary patch delta 76 zcmZoMXfc=|#>B)qu~2NHo+2aj#DLw41(+BanJ4owKIcqJDNatx&(C4p{E(5Gbu&8$ eKL=3lW=5v(%#-;=EIAk%7=Va@VRL}U7G?kjdlF3m delta 68 zcmZoMXfc=|#>B`mu~2NHo+2aD#DLwC4MbQb^D{l!%*XtbWn+Uh<7Rdaeh#3T&5F$5 WnJ4p$SaL7`0V4wg)8+t?EzAIYO%R^| diff --git a/drivers/443e8d915c04c370b7c31bb5f11ebab7.bin b/drivers/443e8d915c04c370b7c31bb5f11ebab7.bin new file mode 100644 index 000000000..544e0ab9d --- /dev/null +++ b/drivers/443e8d915c04c370b7c31bb5f11ebab7.bin @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bdc73f752c1353d41e877d8bf42a1c53f0bba7d6f52348aaef60e06f4d3087d0 +size 17728 diff --git a/yaml/7cee2ce8-7881-4a9a-bb18-61587c95f4a2.yaml b/yaml/7cee2ce8-7881-4a9a-bb18-61587c95f4a2.yaml index 999a86bb2..ae9a1a28e 100644 --- a/yaml/7cee2ce8-7881-4a9a-bb18-61587c95f4a2.yaml +++ b/yaml/7cee2ce8-7881-4a9a-bb18-61587c95f4a2.yaml @@ -7,10 +7,10 @@ Verified: 'TRUE' Commands: Command: sc.exe create DcProtect.sys binPath=C:\windows\temp\DcProtect.sys type=kernel && sc.exe start DcProtect.sys - Description: 'bundled with chinese application "DrvCeo" is a set of rootkits. The + Description: bundled with chinese application "DrvCeo" is a set of rootkits. The malicious functionality. prevents registry value writing where the registry key or value includes "dcprotect" or "drvceo". Prevents file deletion if pathname - contains "driverdownload", "program files\sysceo", "program files (x86)\sysceo"' + contains "driverdownload", "program files\sysceo", "program files (x86)\sysceo" Usecase: Elevate privileges Privileges: kernel OperatingSystem: Windows 10 diff --git a/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml b/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml index 2096b5b93..4f94ad3b8 100644 --- a/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml +++ b/yaml/855ade1f-8a9e-4c9d-ab8e-d7e409609852.yaml @@ -3595,9 +3595,9 @@ KnownVulnerableSamples: Imphash: 037b9d19995faadf69a2ce134473e346 LoadsDespiteHVCI: 'FALSE' - Authentihash: - MD5: 36afdbf3a369c8ff9c0ca2f665dcc935 - SHA1: 2c4c54ed54d72f63861fbfdcb05814a2227d055c - SHA256: bb6e40eebe61bc24353169707d927c3ecc2adc58111560d1b09831c6e6a92e21 + MD5: 412ef4ebc757553588f2cab078fce8b2 + SHA1: 66e230a181956aaddb22599e94a3ff5690f3686b + SHA256: a70e41db9103b4b842af8962a531adeefcaba559b12a5c0063e4084e0cee75be Company: Elaborate Bytes Copyright: Copyright (C) Elaborate Bytes 2000 CreationTimestamp: '2000-11-30 16:02:08' @@ -4399,9 +4399,9 @@ KnownVulnerableSamples: Imphash: b91054cdc4c8b3169cfe6c157f6d9f07 LoadsDespiteHVCI: 'FALSE' - Authentihash: - MD5: ea9d1332583bfa9f5ac5f04fe5369899 - SHA1: 8971f6be64e046f2d04262af06cddd4032dadacb - SHA256: 096946d71621fdec7879ca4b219926fb435bddb9940bdb86a5741e4191b23f61 + MD5: 73002b48efe7e3852acc803a2a0bc806 + SHA1: c3fb8cdc5b36a3f5a6505c2ee3ecdfba2c314703 + SHA256: a975856b36523ab51b5c4043bc7b13ed22cd74c2a01b6763a89c118563227bd3 Company: Elaborate Bytes AG Copyright: Copyright (C) 2000 - 2002 Elaborate Bytes AG CreationTimestamp: '2002-11-29 04:38:16' @@ -4685,9 +4685,9 @@ KnownVulnerableSamples: Imphash: afee876e89b51e2cc7c91353fb588fe6 LoadsDespiteHVCI: 'FALSE' - Authentihash: - MD5: fedc7776f0f8bf6c2cbc56413a3bbf80 - SHA1: 5c93165d6a432c58ac7ea149d2d1b7787ec56208 - SHA256: cfd605d38f358d62bdc8cdd26dd0507adb732e0bf4dc5c5123e900daee91263d + MD5: af23e615a116b1c4976d0f53d4369431 + SHA1: 330d0e648948b46ba1f3c7297f92f4c8f6b686a8 + SHA256: 80b9c02772e93f64330ad2ccfa04e10d2546732de00626e85f42c19dc53019f1 Company: Elaborate Bytes Copyright: Copyright (C) Elaborate Bytes 2000 CreationTimestamp: '2001-03-27 07:38:46' diff --git a/yaml/8ecc8439-0554-40d0-9130-c02941deadbe.yaml b/yaml/8ecc8439-0554-40d0-9130-c02941deadbe.yaml index 1e84a6c03..0ddc74eee 100644 --- a/yaml/8ecc8439-0554-40d0-9130-c02941deadbe.yaml +++ b/yaml/8ecc8439-0554-40d0-9130-c02941deadbe.yaml @@ -201,9 +201,9 @@ KnownVulnerableSamples: Signature: '' Imphash: 8b41eacbfbe5f5348579e27d30767e74 Authentihash: - MD5: 71e94ae106500dae5a417f585de7b7dc - SHA1: f99fb23abfff0a2f05f5cf9e4e8462f95452d123 - SHA256: dc66f649a4c5324c0aee784152639a91569a1fc2857b294b369fc16e229716ee + MD5: 382653c2b7d28bcbdd8c7860c88a9feb + SHA1: 8013b3c978824417017d0e74b0c4bd412e49f330 + SHA256: 7ffa770cebf9f3774388a3a26854bea5e63b498bc9be8b6e36faee0e3b8ccfa3 RichPEHeaderHash: MD5: 72e6be525c0e5cfe3d35b914a5297b20 SHA1: 2ffd414097e1c5d7ff411de4282156dcc56debfb @@ -477,9 +477,9 @@ KnownVulnerableSamples: Signature: '' Imphash: 8d2a933d039e8b8134ef41236d5ea843 Authentihash: - MD5: 1984d23ae2567fcc52991e90aa4db0ae - SHA1: fa9b6367de0dc167edc9665d86bfa4c4acc9090c - SHA256: 4db3d1b695a3ce9b5772997648672ab18d1c72b11cfaaa064c68fdb7849631af + MD5: 8f415388decb57f3221dd69cf468687a + SHA1: 87551544a5055b76b1fb2bb6fa45945df52e2cc6 + SHA256: 362f4af90611ac14fc58a8a32b1e35f1b98a14fcec9a9a75a1eddf8cc16f66c6 RichPEHeaderHash: MD5: c556eabb01acc563d3072cd12969940b SHA1: 4cd47adc61202eb2ce67fbeceaa44d7b214fb761 @@ -545,9 +545,9 @@ KnownVulnerableSamples: Signature: '' Imphash: 8d2a933d039e8b8134ef41236d5ea843 Authentihash: - MD5: b56c5549825ea6f63833d0b45cefc53f - SHA1: e3aefadddd6ef935b3bbd55ce5444f39725d5d9b - SHA256: 627cff52c9a025d47c78d048d6cd4441d88ab6b5a047643f188bfa70cf51f992 + MD5: 7e8bd7f1d0c46c78c21f8f2a0f7b4092 + SHA1: 3ddcb2f0e68d279e60bfa51082d44d21d28c91b6 + SHA256: fdd0aa05751b31f04b409f4d1ac8619a8c2a41869d1b8bcaa51457e712f11f0b RichPEHeaderHash: MD5: c556eabb01acc563d3072cd12969940b SHA1: 4cd47adc61202eb2ce67fbeceaa44d7b214fb761 @@ -613,9 +613,9 @@ KnownVulnerableSamples: Signature: '' Imphash: 8d2a933d039e8b8134ef41236d5ea843 Authentihash: - MD5: e9fdc37c4fbb50a54332326c3acf6306 - SHA1: cc2cb981eba10e47b9808f9121912fa5c794af6a - SHA256: 2bfb520910ce96af9256747a157f9e9c13ab3a4a5192bc89c3237e734abdde45 + MD5: deb8d3302a88ed7c4e7a2c75e4909bae + SHA1: e861de1aa3a4943d54dce1700d412db416b63066 + SHA256: aad42128cbf258f4ccadcc5f4085910abd1c221fb7530af7fcaf6ab5ce8a5d15 RichPEHeaderHash: MD5: c556eabb01acc563d3072cd12969940b SHA1: 4cd47adc61202eb2ce67fbeceaa44d7b214fb761 @@ -681,9 +681,9 @@ KnownVulnerableSamples: Signature: '' Imphash: 8b41eacbfbe5f5348579e27d30767e74 Authentihash: - MD5: 742fb07853a369dceb380af33c0be60c - SHA1: 37310c027eb0899af246edb95a4ad68643cd9c49 - SHA256: 3f5d7a0115a28883d712567bd1675392eae7c9fff50cba2c7b2e33d164cac761 + MD5: f154c4ae8f1bb052fb78dcadb9874380 + SHA1: b11dbcb6b7622051cc00352f973048e27e068f77 + SHA256: b0c5425b6d3eb3f3a1b0c3f8ed81f9c3d9a7602874bea56784027f7fa9f77827 RichPEHeaderHash: MD5: c556eabb01acc563d3072cd12969940b SHA1: 4cd47adc61202eb2ce67fbeceaa44d7b214fb761 diff --git a/yaml/de62baae-872d-4e9a-b6d9-b0ac99854c66.yaml b/yaml/de62baae-872d-4e9a-b6d9-b0ac99854c66.yaml new file mode 100644 index 000000000..694f15f39 --- /dev/null +++ b/yaml/de62baae-872d-4e9a-b6d9-b0ac99854c66.yaml @@ -0,0 +1,134 @@ +Id: de62baae-872d-4e9a-b6d9-b0ac99854c66 +Author: goosvorbook +Created: '2024-06-20' +MitreID: T1068 +Category: vulnerable driver +Verified: 'TRUE' +Commands: + Command: sc.exe create Chaos-Rootkit.sys binPath=C:\windows\temp\Chaos-Rootkit.sys + type=kernel && sc.exe start Chaos-Rootkit.sys + Description: Chaos-Rootkit is a x64 ring0 rootkit with process hiding, privilege + escalation, and capabilities for protecting and unprotecting processes and ability + to restrict access to files except for whitelisted process work seamlessly on + the latest Windows versions. + Usecase: Elevate privileges + Privileges: kernel + OperatingSystem: Windows 11 +Resources: +- https://github.com/ZeroMemoryEx/Chaos-Rootkit +Acknowledgement: + Person: '' + Handle: '' +Detection: [] +KnownVulnerableSamples: +- Filename: '' + MD5: 443e8d915c04c370b7c31bb5f11ebab7 + SHA1: c3f8b7f0995073abb58c2aec1b6062f89fe838a0 + SHA256: bdc73f752c1353d41e877d8bf42a1c53f0bba7d6f52348aaef60e06f4d3087d0 + Signature: '' + Date: '' + Publisher: '' + Company: '' + Description: '' + Product: '' + ProductVersion: '' + FileVersion: '' + MachineType: AMD64 + OriginalFilename: '' + Imphash: 0abe54d37cd1a70ed9041ab7d80318a9 + Authentihash: + MD5: cec49dd8b1dbb091e3d6f8134cee5bdc + SHA1: a4b5442d906715caaadc011d0c2fa44cd894dbfe + SHA256: 23be3616a4fb4e620f971e4348dc46b7980abca6463be3cb4b83769a955f2810 + RichPEHeaderHash: + MD5: ae12000e18da8fac0c57ef3d7cd3236e + SHA1: 803fe53650c7d62f0652d87117cab64e01934e73 + SHA256: 329187edf745b2d770774d2c1698151b8e63215b7bc7f56dceb4b2894efe0501 + Sections: + .text: + Entropy: 5.914594854595524 + Virtual Size: '0x21c5' + .rdata: + Entropy: 4.584664357463394 + Virtual Size: '0xa74' + .data: + Entropy: 0.9644793977280222 + Virtual Size: '0x588' + .pdata: + Entropy: 3.7773529743020946 + Virtual Size: '0x15c' + INIT: + Entropy: 4.897285864473433 + Virtual Size: '0x4f6' + .reloc: + Entropy: 3.756091254141947 + Virtual Size: '0x38' + MagicHeader: 50 45 0 0 + CreationTimestamp: '2024-02-24 04:54:46' + InternalName: '' + Copyright: '' + Imports: + - FLTMGR.SYS + - ntoskrnl.exe + - WDFLDR.SYS + ExportedFunctions: '' + ImportedFunctions: + - FltGetRequestorProcessId + - KeWaitForSingleObject + - ExInitializePushLock + - ExAcquirePushLockExclusiveEx + - ExReleasePushLockExclusiveEx + - MmProbeAndLockPages + - MmUnlockPages + - MmProtectMdlSystemAddress + - MmMapLockedPagesSpecifyCache + - MmUnmapLockedPages + - IoAllocateMdl + - IofCompleteRequest + - KeReleaseMutex + - IoCreateSymbolicLink + - IoDeleteDevice + - IoDeleteSymbolicLink + - IoFreeMdl + - ObfDereferenceObject + - NtCreateFile + - PsReferencePrimaryToken + - PsLookupProcessByProcessId + - PsGetProcessImageFileName + - __C_specific_handler + - wcsstr + - RtlCopyUnicodeString + - DbgPrintEx + - KeInitializeMutex + - RtlGetVersion + - DbgPrint + - MmGetSystemRoutineAddress + - IoCreateDevice + - WdfVersionBindClass + - WdfVersionUnbind + - WdfLdrQueryInterface + - WdfVersionBind + - WdfVersionUnbindClass + Signatures: + - CertificatesInfo: '' + SignerInfo: '' + Certificates: + - Subject: CN=WDKTestCert anash,133231280654008727 + ValidFrom: '2023-03-12 20:54:25' + ValidTo: '2033-03-12 00:00:00' + Signature: 2877c0544f97abe3532296be49983e1e9b7f4c99ef327222c4b2b6d70194c8d97db7140a51dc6a18a009549aabe1bcb8c95d089917b9fed893b52f0518b649680aab7fdb5af9098de934aede339cee3d3c271ffc25c8d1b188fee3ff9a8b6591ac9f6e21934467db0d7d6595edcc98f3bbaf303202fab533ae82372da8d8b8dee1dcb80312e8ebe140ea9edfac35bf59e909b49edad358761784ffafb590665a6426e9b3fae943864a0484002555a654647e1495e92d9e8dafd00b0e36e30a921ec424e2d4a70d579879bdaaab9bc21824479b905e710ae1269e3fc3695c50811805f163e23590e53c173a79adda0fe1deb674f34fc0adf3cbcf93a4955907f7 + SignatureAlgorithmOID: 1.2.840.113549.1.1.5 + IsCertificateAuthority: true + SerialNumber: 13d597c6ebaaaf994d4463d3387c0dd2 + Version: 3 + TBS: + MD5: 6b552c6f192fd7c811a7f292b41dd282 + SHA1: fbd054373b922c03cad87c948c29ed2ed0883910 + SHA256: e9098f46ff7e02093422a6e4745f420d41fc08c66a95b6f62f09b44297bf35af + SHA384: 4b008e59d2ea4c49427250d7da08075c183e7759d91b9defaf47873d9dab76f2b9e17cd95aeee7ca99ea0967a3ceeb0f + Signer: + - SerialNumber: 13d597c6ebaaaf994d4463d3387c0dd2 + Issuer: CN=WDKTestCert anash,133231280654008727 + Version: 1 +Tags: +- Chaos-Rootkit.sys diff --git a/yaml/e0e93453-1007-4799-ad02-9b461b7e0398.yaml b/yaml/e0e93453-1007-4799-ad02-9b461b7e0398.yaml index 560c7001e..29da97cb3 100644 --- a/yaml/e0e93453-1007-4799-ad02-9b461b7e0398.yaml +++ b/yaml/e0e93453-1007-4799-ad02-9b461b7e0398.yaml @@ -208,7 +208,6 @@ KnownVulnerableSamples: SHA256: 78b94bc1db7ed451dff0467fac7a5e568a1d35f9cabcffbdb4690c13719861bb Description: RogueKiller Antirootkit Driver Company: Adlice Software - Product: Truesight Copyright: Copyright Adlice Software(C) 2023 MachineType: AMD64 Imports: diff --git a/yaml/ff77b58d-e143-4f61-92de-c0d9bc0af7d5.yaml b/yaml/ff77b58d-e143-4f61-92de-c0d9bc0af7d5.yaml index ef755e9bf..f4e29f4ce 100644 --- a/yaml/ff77b58d-e143-4f61-92de-c0d9bc0af7d5.yaml +++ b/yaml/ff77b58d-e143-4f61-92de-c0d9bc0af7d5.yaml @@ -1,5 +1,5 @@ Id: ff77b58d-e143-4f61-92de-c0d9bc0af7d5 -Author: 'Defence Tech security' +Author: Defence Tech security Created: '2024-02-22' MitreID: T1068 CVE: @@ -19,7 +19,7 @@ Acknowledgement: Handle: '' Detection: [] KnownVulnerableSamples: -- Filename: 'ACE-BASE.sys' +- Filename: ACE-BASE.sys Libraries: - ntoskrnl.exe - FLTMGR.SYS @@ -242,7 +242,7 @@ KnownVulnerableSamples: Imphash: 13ad56e7c65468e58c468f56e33687d4 Machine: AMD64 MagicHeader: 50 45 0 0 - CreationTimestamp: '2022-02-22 15:16:48' + CreationTimestamp: '2022-02-22 08:16:48' RichPEHeaderMD5: 062556004ee11c5a66737fee0c2ef190 RichPEHeaderSHA1: 67512e1821c28bf63354cc771c15c6e65982911d RichPEHeaderSHA256: 87208680099d7e82d232a61048f4acaaa4a7b49ad81501cbff1fd3f12c80256a @@ -269,10 +269,10 @@ KnownVulnerableSamples: Entropy: 5.359883496957578 Virtual Size: '0x1ad0' .rsrc: - Entropy: 3.3592051915529972 + Entropy: 3.359205191552997 Virtual Size: '0x3d0' .reloc: - Entropy: 6.834766060295567 + Entropy: 6.834766060295568 Virtual Size: '0xf00' .tvm0: Entropy: 5.528023547055279 @@ -336,5 +336,22 @@ KnownVulnerableSamples: Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1 Version: 1 + Authentihash: + MD5: dd3bfadd02f076a1bdea2279c7be339b + SHA1: d2e7cbdf71ae78df5cc61c3dc4eacca4365c0f87 + SHA256: 2759e2290295a81e80ef5d8e95266aa08d67832c0af51267ad1100b89d8b890c + RichPEHeaderHash: + MD5: 062556004ee11c5a66737fee0c2ef190 + SHA1: 67512e1821c28bf63354cc771c15c6e65982911d + SHA256: 87208680099d7e82d232a61048f4acaaa4a7b49ad81501cbff1fd3f12c80256a + Description: ACE-BASE64 NT Driver + Company: ANTICHEATEXPERT.COM + Product: Anti-Cheat Expert + Copyright: "\xA9 AntiCheatExpert.com Limited. All Rights Reserved." + MachineType: AMD64 + Imports: + - ntoskrnl.exe + - FLTMGR.SYS + - HAL.dll Tags: - '' From a7838bfd3dadc4a93227b7829aca40c01a4735c3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 26 Jun 2024 00:19:25 +0200 Subject: [PATCH 2/2] Delete .DS_Store --- .DS_Store | Bin 6148 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 .DS_Store diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index a0c3c4940877d3a62ebc4b92b9d3258278a9ae10..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHK%}T>S5Z-O8Nhm@NiXH=A3s%7v@e*o%0V8@)sfmdij9E$2=1>Z`>I?ZMK94iI z8_`xzf=HQx*>5sGo9wq`x5F6YgK@aan9Ue7K@l4k4BrUGQ5U44JxxF^=ZILw@}SJ0 zf@C3^9RHC4+&hDXux~M&uuuCZ0*Jf@Pf45?-R>K2G+QgHhG7|P#c{28e;>WI&&GW_vl8N2?+Rh=E@)faik)is)*r6w0Fm2H64tw!kd~ zZ0sel#?k0%tQ0~7gsW0ORmydX!Bsi<9i8WDtQ4wp#&z?-^_#iwP`G?M%AQ7dm3Y@Wpx2-%m{%$MC;>xW h#gL0v@fN5Q@H=P#x*98m-~pjO0+I$Ah=D(4;2k>vQt1Ey