Malicious Driver Load By Name

 1title: Malicious Driver Load By Name
 2id: 39b64854-5497-4b57-a448-40977b8c9679
 3status: test
 4description: Detects loading of known malicious drivers via the file name of the drivers.
 5references:
 6    - https://loldrivers.io/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-10-03
 9modified: 2023-12-02
10tags:
11    - attack.persistence
12    - attack.privilege-escalation
13    - attack.t1543.003
14    - attack.t1068
15logsource:
16    product: windows
17    category: driver_load
18detection:
19    selection:
20        ImageLoaded|endswith:
21            - '\wfshbr64.sys'
22            - '\ktmutil7odm.sys'
23            - '\ktes.sys'
24            - '\a26363e7b02b13f2b8d697abb90cd5c3.sys'
25            - '\kt2.sys'
26            - '\4748696211bd56c2d93c21cab91e82a5.sys'
27            - '\malicious.sys'
28            - '\a236e7d654cd932b7d11cb604629a2d0.sys'
29            - '\spwizimgvt.sys'
30            - '\c94f405c5929cfcccc8ad00b42c95083.sys'
31            - '\fur.sys'
32            - '\wantd.sys'
33            - '\windbg.sys'
34            - '\4118b86e490aed091b1a219dba45f332.sys'
35            - '\gmer64.sys'
36            - '\1fc7aeeff3ab19004d2e53eae8160ab1.sys'
37            - '\poortry2.sys'
38            - '\wintapix.sys'
39            - '\daxin_blank6.sys'
40            - '\6771b13a53b9c7449d4891e427735ea2.sys'
41            - '\blacklotus_driver.sys'
42            - '\air_system10.sys'
43            - '\dkrtk.sys'
44            - '\7.sys'
45            - '\sense5ext.sys'
46            - '\ktgn.sys'
47            - '\ndislan.sys'
48            - '\nlslexicons0024uvn.sys'
49            - '\be6318413160e589080df02bb3ca6e6a.sys'
50            - '\4.sys'
51            - '\wantd_2.sys'
52            - '\e29f6311ae87542b3d693c1f38e4e3ad.sys'
53            - '\daxin_blank3.sys'
54            - '\gftkyj64.sys'
55            - '\daxin_blank2.sys'
56            - '\wantd_4.sys'
57            - '\reddriver.sys'
58            - '\834761775.sys'
59            - '\mlgbbiicaihflrnh.sys'
60            - '\mjj0ge.sys'
61            - '\daxin_blank.sys'
62            - '\daxin_blank5.sys'
63            - '\poortry1.sys'
64            - '\msqpq.sys'
65            - '\mimidrv.sys'
66            - '\e939448b28a4edc81f1f974cebf6e7d2.sys'
67            - '\prokiller64.sys'
68            - '\nodedriver.sys'
69            - '\wantd_3.sys'
70            - '\lctka.sys'
71            - '\kapchelper_x64.sys'
72            - '\daxin_blank4.sys'
73            - '\a9df5964635ef8bd567ae487c3d214c4.sys'
74            - '\wantd_6.sys'
75            - '\ntbios.sys'
76            - '\wantd_5.sys'
77            - '\pciecubed.sys'
78            - '\mimikatz.sys'
79            - '\nqrmq.sys'
80            - '\2.sys'
81            - '\poortry.sys'
82            - '\ntbios_2.sys'
83            - '\fgme.sys'
84            - '\telephonuafy.sys'
85            - '\typelibde.sys'
86            - '\daxin_blank1.sys'
87            - '\ef0e1725aaf0c6c972593f860531a2ea.sys'
88            - '\5a4fe297c7d42539303137b6d75b150d.sys'
89    condition: selection
90falsepositives:
91    - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
92    - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
93level: medium