HKTL_CS_BOF_AMD_Ryzen_Exploit_Jan23_1

Rule Info

Name
HKTL_CS_BOF_AMD_Ryzen_Exploit_Jan23_1
Author
Florian Roth
Description
Detects Cobalt Strike (CS) Beacon-Object-File (BOF) for kernel exploitation using AMD's Ryzen Master Driver (version 17)
Score
80
Reference
https://github.com/tijme/amd-ryzen-master-driver-v17-exploit
Date
2023-01-22
Modified
2023-02-01
Minimum Yara
1.7
Rule Hash
6af666173dcae537aa46496f17fa53c2
Tags
['T1550_002', 'COBALTSTRIKE', 'HKTL', 'EXPLOIT']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/hktl_cs_bof_amd_ryzen_exploit_jan23_1/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
1
Suspicious (< 10 engines)
6
Clean (0 engines)
14

Rule Matches

Timestamp
Positives
Total
Hash
VT
2023-04-08 18:27:53
9
59
4b145ce9950ad977019ae6c6fc50abb17c0c1148826172be19ac6a4f5b8525b3
2023-04-08 18:27:50
9
59
efa888fd3a25dbf52d3e3c2f7f0cb0583e5ab40188759e13e527be2fc57ceddc
2023-04-08 18:11:56
9
70
f198ccd76433d1ab40d16cb29110538f44c206b845df3d3a1f76fbcf94373068
2023-04-08 18:11:56
6
70
1786f9c8a233ea7a7b5d66eb4667490524255b21accbc5c5430bc4e393e54c71
2023-02-03 02:18:16
0
70
cd688dc0e5b7b6c5e506c153d4c52ab7023b27a438423ccf77bf61be4d1971b6
2023-02-01 23:28:09
0
61
61ce35449d56bc211712f74051a8d70d3f02e342115a6bf324cb9f14049cf6ab
2023-01-31 18:39:50
0
70
f05359fe5793e947711c72cc8413e3b1d96c8a54eaafe4803827c4414f2f8e85
2023-01-31 06:35:47
0
50
eeaa0184fb8389b7c4906f29de3fb8b6cfcd367e631e7c1bb4b299093c18930b
2023-01-29 19:02:48
0
60
21eff475823c239d183c2d40e670ec7823ba3e1ceebb9ff0af0f34d16e89e139
2023-01-29 19:02:41
0
59
0ef68256411f61945a53193d7c23abe8eefe135512b779d7ad2c053a16feb373
2023-01-29 09:09:56
20
69
270cdb3438600c3551658922b9a4f64c47df2b683ba68d0cf4b640be4af6dc99
2023-01-29 07:03:40
0
62
e3cfd1a4c9fcb2cce681a7ab5ef5a85fc2f9b749368332399c08816ffa2080eb
2023-01-29 01:14:40
1
70
ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5
2023-01-26 21:55:28
0
62
a6209617f1c5e544f1d0115b9d826522803317cca99cb4e2366849392cbeba65
2023-01-26 21:54:13
0
62
e436327ff32fa08cc2b1d41f95a34e33ff10d0fa0222b3d70498bb735af2166f
2023-01-26 01:25:41
0
70
77955af8a8bcea8998f4046c2f8534f6fb1959c71de049ca2f4298ba47d8f23a
2023-01-25 06:24:42
0
57
3094213e21ac1a51ae38a32a0cf61ad1e081c45f5d0782b0a8242d2e8368ed86
2023-01-23 13:21:30
0
70
bb82d8c29127955d58dff58978605a9daa718425c74c4bce5ae3e53712909148
2023-01-23 12:25:26
0
70
4cd6dbc00264998beb4f4c09c10e3577b6e0579380856e205a9335b331f4261d
2023-01-23 12:25:23
0
70
37f16c8232ec679ee400c76272fc9b56977524e70cfd5cce375ab79f4750bf64
2023-01-23 12:16:52
5
67
031797ff492135c40f66738f474e859abc1d7277a8cd222edcd48b776fd16b95

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022