Malicious Driver Load By Name

calendar Dec 21, 2023 · attack.privilege_escalation attack.t1543.003 attack.t1068  ·
Share on: linkedin copy

Detects loading of known malicious drivers via the file name of the drivers.

Sigma rule (View on GitHub)

 1title: Malicious Driver Load By Name
 2id: 39b64854-5497-4b57-a448-40977b8c9679
 3status: experimental
 4description: Detects loading of known malicious drivers via the file name of the drivers.
 5references:
 6    - https://loldrivers.io/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/10/03
 9modified: 2023/12/02
10tags:
11    - attack.privilege_escalation
12    - attack.t1543.003
13    - attack.t1068
14logsource:
15    product: windows
16    category: driver_load
17detection:
18    selection:
19        ImageLoaded|endswith:
20            - '\wfshbr64.sys'
21            - '\ktmutil7odm.sys'
22            - '\ktes.sys'
23            - '\a26363e7b02b13f2b8d697abb90cd5c3.sys'
24            - '\kt2.sys'
25            - '\4748696211bd56c2d93c21cab91e82a5.sys'
26            - '\malicious.sys'
27            - '\a236e7d654cd932b7d11cb604629a2d0.sys'
28            - '\spwizimgvt.sys'
29            - '\c94f405c5929cfcccc8ad00b42c95083.sys'
30            - '\fur.sys'
31            - '\wantd.sys'
32            - '\windbg.sys'
33            - '\4118b86e490aed091b1a219dba45f332.sys'
34            - '\gmer64.sys'
35            - '\1fc7aeeff3ab19004d2e53eae8160ab1.sys'
36            - '\poortry2.sys'
37            - '\wintapix.sys'
38            - '\daxin_blank6.sys'
39            - '\6771b13a53b9c7449d4891e427735ea2.sys'
40            - '\blacklotus_driver.sys'
41            - '\air_system10.sys'
42            - '\dkrtk.sys'
43            - '\7.sys'
44            - '\sense5ext.sys'
45            - '\ktgn.sys'
46            - '\ndislan.sys'
47            - '\nlslexicons0024uvn.sys'
48            - '\be6318413160e589080df02bb3ca6e6a.sys'
49            - '\4.sys'
50            - '\wantd_2.sys'
51            - '\e29f6311ae87542b3d693c1f38e4e3ad.sys'
52            - '\daxin_blank3.sys'
53            - '\gftkyj64.sys'
54            - '\daxin_blank2.sys'
55            - '\wantd_4.sys'
56            - '\reddriver.sys'
57            - '\834761775.sys'
58            - '\mlgbbiicaihflrnh.sys'
59            - '\mjj0ge.sys'
60            - '\daxin_blank.sys'
61            - '\daxin_blank5.sys'
62            - '\poortry1.sys'
63            - '\msqpq.sys'
64            - '\mimidrv.sys'
65            - '\e939448b28a4edc81f1f974cebf6e7d2.sys'
66            - '\prokiller64.sys'
67            - '\nodedriver.sys'
68            - '\wantd_3.sys'
69            - '\lctka.sys'
70            - '\kapchelper_x64.sys'
71            - '\daxin_blank4.sys'
72            - '\a9df5964635ef8bd567ae487c3d214c4.sys'
73            - '\wantd_6.sys'
74            - '\ntbios.sys'
75            - '\wantd_5.sys'
76            - '\pciecubed.sys'
77            - '\mimikatz.sys'
78            - '\nqrmq.sys'
79            - '\2.sys'
80            - '\poortry.sys'
81            - '\ntbios_2.sys'
82            - '\fgme.sys'
83            - '\telephonuafy.sys'
84            - '\typelibde.sys'
85            - '\daxin_blank1.sys'
86            - '\ef0e1725aaf0c6c972593f860531a2ea.sys'
87            - '\5a4fe297c7d42539303137b6d75b150d.sys'
88    condition: selection
89falsepositives:
90    - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
91    - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
92level: medium

References

  • LOLDrivers

    asas.sys6165491e8391eac9c0e3b9a2a31e1692a567c16cbfa36d7a88c401ffae1f6c63Vulnerable drivers2023-07-22magdrvamd64.sysbe54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57Vulnerable driver2...


    Read More

Related rules

to-top