Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add fildds.sys, flink.sys, filwfp.sys #169

Open
VirarK opened this issue Mar 8, 2024 · 1 comment
Open

Add fildds.sys, flink.sys, filwfp.sys #169

VirarK opened this issue Mar 8, 2024 · 1 comment

Comments

@VirarK
Copy link

VirarK commented Mar 8, 2024
edited

Hello, is it possible to add this driver associated with FilSecLab products ?
It haves CVEs associated with, and can be used to perform malicious actions.

CVEs:
https://github.com/zeze-zeze/WindowsKernelVuln/tree/master/CVE-2023-1444

VT links:
https://www.virustotal.com/gui/file/f8c07b6e2066a5a22a92d9f521ecdeb8c68698c400e4b83e0501b9f340957c22/details
@VirarK VirarK changed the title Add Add fildds.sys Mar 8, 2024
@VirarK VirarK changed the title Add fildds.sys Add fildds.sys, flink.sys, filwfp.sys Mar 8, 2024
@VirarK
Copy link
Author

VirarK commented Mar 8, 2024

https://x.com/SophosXOps/status/1764933865574207677?s=20

These drivers are now actively used by attackers to kill EDRs using a custom PE.

"SHA256 hashes for the abused files are
f8c07b6e2066a5a22a92d9f521ecdeb8c68698c400e4b83e0501b9f340957c22 (fildds.sys), ae55a0e93e5ef3948adecf20fa55b0f555dcf40589917a5bfbaa732075f0cc12 (filnk.sys) and 490cfbb540dcd70b7bff4fdd62e7ed7400bbfebaf5083523d49f7184670f7b9a (filwfp.sys)."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@VirarK