40 lines
1.4 KiB
YAML
40 lines
1.4 KiB
YAML
title: Vulnerable Dell BIOS Update Driver Load
|
|
author: Florian Roth
|
|
date: 2021/05/05
|
|
description: Detects the load of the vulnerable Dell BIOS update driver as reported
|
|
in CVE-2021-21551
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 6
|
|
SELECTION_2:
|
|
ImageLoaded: '*\DBUtil_2_3.Sys*'
|
|
SELECTION_3:
|
|
Hashes: '*0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5*'
|
|
SELECTION_4:
|
|
Hashes: '*c948ae14761095e4d76b55d9de86412258be7afd*'
|
|
SELECTION_5:
|
|
Hashes: '*c996d7971c49252c582171d9380360f2*'
|
|
SELECTION_6:
|
|
Hashes: '*ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1*'
|
|
SELECTION_7:
|
|
Hashes: '*10b30bdee43b3a2ec4aa63375577ade650269d25*'
|
|
SELECTION_8:
|
|
Hashes: '*d2fd132ab7bbc6bbb87a84f026fa0244*'
|
|
condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 or SELECTION_4 or SELECTION_5
|
|
or SELECTION_6 or SELECTION_7 or SELECTION_8)))
|
|
falsepositives:
|
|
- legitimate BIOS driver updates (should be rare)
|
|
id: 21b23707-60d6-41bb-96e3-0f0481b0fed9
|
|
level: high
|
|
logsource:
|
|
category: driver_load
|
|
product: windows
|
|
references:
|
|
- https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- cve.2021.21551
|
|
yml_filename: driver_load_vuln_dell_driver.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load
|
|
|