漏洞描述
Checks if the system allows installation of unsigned kernel-mode drivers, which can be malicious.
unsigned-kernel-mode-drivers-allowed: Installation of Unsigned Kernel-Mode Drivers Allowed
PoC代码[已公开]
id: unsigned-kernel-mode-drivers-allowed
info:
name: Installation of Unsigned Kernel-Mode Drivers Allowed
author: princechaddha
severity: high
description: Checks if the system allows installation of unsigned kernel-mode drivers, which can be malicious.
impact: |
Unsigned kernel-mode drivers can be malicious and compromise system security.
remediation: |
Restrict the installation of unsigned drivers by enforcing driver signature checks.
tags: drivers,kernel-mode,code,windows-audit
self-contained: true
code:
- pre-condition: |
IsWindows();
engine:
- powershell.exe
args:
- -ExecutionPolicy
- Bypass
pattern: "*.ps1"
source: |
if ((Get-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DriverInstall' -Name 'BehaviorOnFailedVerify' -ErrorAction SilentlyContinue).BehaviorOnFailedVerify -eq 0) { Write-Output 'Unsigned driver installation allowed'; }
matchers:
- type: word
words:
- "Unsigned driver installation allowed"
# digest: 4a0a00473045022100fdc8d6474c5d684196142e2d90e9840dd18ca1a1c7ae9bb31dc39a8c39a0a5ea02207c45135d828d0298c89d45253c831bed0b620a6fa4c4a645066993a45c05591b:922c64590222798bb761d5b6d8e72950