Add fildds.sys, flink.sys, filwfp.sys

magicsword-io / LOLDrivers

Living Off The Land Drivers

https://www.loldrivers.io/

Apache License 2.0

1.04k stars 123 forks source link

Add fildds.sys, flink.sys, filwfp.sys #169

Closed VirarK closed 5 months ago

VirarK commented 8 months ago

Hello, is it possible to add this driver associated with FilSecLab products ? It haves CVEs associated with, and can be used to perform malicious actions.

CVEs: https://github.com/zeze-zeze/WindowsKernelVuln/tree/master/CVE-2023-1444

VT links: https://www.virustotal.com/gui/file/f8c07b6e2066a5a22a92d9f521ecdeb8c68698c400e4b83e0501b9f340957c22/details

VirarK commented 8 months ago

https://x.com/SophosXOps/status/1764933865574207677?s=20

These drivers are now actively used by attackers to kill EDRs using a custom PE.

"SHA256 hashes for the abused files are f8c07b6e2066a5a22a92d9f521ecdeb8c68698c400e4b83e0501b9f340957c22 (fildds.sys), ae55a0e93e5ef3948adecf20fa55b0f555dcf40589917a5bfbaa732075f0cc12 (filnk.sys) and 490cfbb540dcd70b7bff4fdd62e7ed7400bbfebaf5083523d49f7184670f7b9a (filwfp.sys)."

MHaggis commented 5 months ago

Yes! We will get these added