Malicious Driver Load By Name

 1title: Malicious Driver Load By Name
 2id: 39b64854-5497-4b57-a448-40977b8c9679
 3status: test
 4description: Detects loading of known malicious drivers via the file name of the drivers.
 5references:
 6    - https://loldrivers.io/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-10-03
 9modified: 2023-12-02
10tags:
11    - attack.privilege-escalation
12    - attack.t1543.003
13    - attack.t1068
14logsource:
15    product: windows
16    category: driver_load
17detection:
18    selection:
19        ImageLoaded|endswith:
20            - '\wfshbr64.sys'
21            - '\ktmutil7odm.sys'
22            - '\ktes.sys'
23            - '\a26363e7b02b13f2b8d697abb90cd5c3.sys'
24            - '\kt2.sys'
25            - '\4748696211bd56c2d93c21cab91e82a5.sys'
26            - '\malicious.sys'
27            - '\a236e7d654cd932b7d11cb604629a2d0.sys'
28            - '\spwizimgvt.sys'
29            - '\c94f405c5929cfcccc8ad00b42c95083.sys'
30            - '\fur.sys'
31            - '\wantd.sys'
32            - '\windbg.sys'
33            - '\4118b86e490aed091b1a219dba45f332.sys'
34            - '\gmer64.sys'
35            - '\1fc7aeeff3ab19004d2e53eae8160ab1.sys'
36            - '\poortry2.sys'
37            - '\wintapix.sys'
38            - '\daxin_blank6.sys'
39            - '\6771b13a53b9c7449d4891e427735ea2.sys'
40            - '\blacklotus_driver.sys'
41            - '\air_system10.sys'
42            - '\dkrtk.sys'
43            - '\7.sys'
44            - '\sense5ext.sys'
45            - '\ktgn.sys'
46            - '\ndislan.sys'
47            - '\nlslexicons0024uvn.sys'
48            - '\be6318413160e589080df02bb3ca6e6a.sys'
49            - '\4.sys'
50            - '\wantd_2.sys'
51            - '\e29f6311ae87542b3d693c1f38e4e3ad.sys'
52            - '\daxin_blank3.sys'
53            - '\gftkyj64.sys'
54            - '\daxin_blank2.sys'
55            - '\wantd_4.sys'
56            - '\reddriver.sys'
57            - '\834761775.sys'
58            - '\mlgbbiicaihflrnh.sys'
59            - '\mjj0ge.sys'
60            - '\daxin_blank.sys'
61            - '\daxin_blank5.sys'
62            - '\poortry1.sys'
63            - '\msqpq.sys'
64            - '\mimidrv.sys'
65            - '\e939448b28a4edc81f1f974cebf6e7d2.sys'
66            - '\prokiller64.sys'
67            - '\nodedriver.sys'
68            - '\wantd_3.sys'
69            - '\lctka.sys'
70            - '\kapchelper_x64.sys'
71            - '\daxin_blank4.sys'
72            - '\a9df5964635ef8bd567ae487c3d214c4.sys'
73            - '\wantd_6.sys'
74            - '\ntbios.sys'
75            - '\wantd_5.sys'
76            - '\pciecubed.sys'
77            - '\mimikatz.sys'
78            - '\nqrmq.sys'
79            - '\2.sys'
80            - '\poortry.sys'
81            - '\ntbios_2.sys'
82            - '\fgme.sys'
83            - '\telephonuafy.sys'
84            - '\typelibde.sys'
85            - '\daxin_blank1.sys'
86            - '\ef0e1725aaf0c6c972593f860531a2ea.sys'
87            - '\5a4fe297c7d42539303137b6d75b150d.sys'
88    condition: selection
89falsepositives:
90    - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
91    - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
92level: medium