724d7989-dfce-4bb2-9beb-dee15df5b790

skill.sys :inline

Description

Confirmed vulnerable driver from Microsoft Block List

  • UUID: 724d7989-dfce-4bb2-9beb-dee15df5b790
  • Created: 2023-07-22
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

Use CasePrivilegesOperating System
Elevate privilegeskernelWindows

Detections

YARA 🏹

Expand

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://gist.github.com/mgraeber-rc/1bde6a2a83237f17b463d051d32e802c

    • CVE

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2016-09-05 00:43:33
    MD52b36d61f6e7420977648ed27e784adf1
    SHA1c92a386622f04a5733cb238d33cedea4272a3f85
    SHA2560c1b21978c6aef881f056f7b9c909b56488019459ed256511d78a4588d1aa7a4
    Authentihash MD537458813b5115cbf06552da28fefbbbb
    Authentihash SHA11d1cafc73c97c6bcd2331f8777d90fdca57125a3
    Authentihash SHA256faa08cb609a5b7be6bfdb61f1e4a5e8adf2f5a1d2492f262483df7326934f5d4
    RichPEHeaderHash MD5b2f23c03be4553a744ff25735a80073c
    RichPEHeaderHash SHA12703d60c8f12df9d6adf5ae475bfeb1786486888
    RichPEHeaderHash SHA25646ffd109664b6694974986a39d508002d564434d60a0fb9f861401f2cb2c83f1

    Download

    Imports

    Expand
    • ntoskrnl.exe

    Imported Functions

    Expand
    • IoDeleteSymbolicLink
    • RtlInitUnicodeString
    • IofCompleteRequest
    • MmGetSystemRoutineAddress
    • IoCreateSymbolicLink
    • IoCreateDevice
    • IoDeleteDevice

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .data
    • .pdata
    • .info
    • INIT

    Signature

    Expand

    source

    last_updated: 2024-09-26