Vulnerable Driver Load By Name
Detects the load of known vulnerable drivers via the file name of the drivers.
Sigma rule (View on GitHub)
1title: Vulnerable Driver Load By Name
2id: 72cd00d6-490c-4650-86ff-1d11f491daa1
3status: test
4description: Detects the load of known vulnerable drivers via the file name of the drivers.
5references:
6 - https://loldrivers.io/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-10-03
9modified: 2023-12-02
10tags:
11 - attack.privilege-escalation
12 - attack.t1543.003
13 - attack.t1068
14logsource:
15 product: windows
16 category: driver_load
17detection:
18 selection:
19 ImageLoaded|endswith:
20 - '\panmonfltx64.sys'
21 - '\dbutil.sys'
22 - '\fairplaykd.sys'
23 - '\nvaudio.sys'
24 - '\superbmc.sys'
25 - '\bsmi.sys'
26 - '\smarteio64.sys'
27 - '\bwrsh.sys'
28 - '\agent64.sys'
29 - '\asmmap64.sys'
30 - '\dellbios.sys'
31 - '\chaos-rootkit.sys'
32 - '\wcpu.sys'
33 - '\dh_kernel.sys'
34 - '\sbiosio64.sys'
35 - '\bw.sys'
36 - '\asrdrv102.sys'
37 - '\nt6.sys'
38 - '\mhyprot3.sys'
39 - '\winio64c.sys'
40 - '\asupio64.sys'
41 - '\blackbonedrv10.sys'
42 - '\d.sys'
43 - '\driver7-x86.sys'
44 - '\sfdrvx32.sys'
45 - '\enetechio64.sys'
46 - '\gdrv.sys'
47 - '\sysinfodetectorx64.sys'
48 - '\fh-ethercat_dio.sys'
49 - '\asromgdrv.sys'
50 - '\my.sys'
51 - '\dcprotect.sys'
52 - '\irec.sys'
53 - '\gedevdrv.sys'
54 - '\winio32a.sys'
55 - '\gvcidrv64.sys'
56 - '\winio32.sys'
57 - '\bs_hwmio64.sys'
58 - '\nstr.sys'
59 - '\inpoutx64.sys'
60 - '\hw.sys'
61 - '\winio64.sys'
62 - '\hpportiox64.sys'
63 - '\iobitunlocker.sys'
64 - '\b1.sys'
65 - '\aoddriver.sys'
66 - '\elbycdio.sys'
67 - '\protects.sys'
68 - '\kprocesshacker.sys'
69 - '\speedfan.sys'
70 - '\radhwmgr.sys'
71 - '\iscflashx64.sys'
72 - '\black.sys'
73 - '\b4.sys'
74 - '\hwos2ec10x64.sys'
75 - '\winflash64.sys'
76 - '\corsairllaccess64.sys'
77 - '\bs_i2cio.sys'
78 - '\d3.sys'
79 - '\windows-xp-64.sys'
80 - '\aswvmm.sys'
81 - '\bs_i2c64.sys'
82 - '\1.sys'
83 - '\nchgbios2x64.sys'
84 - '\cpuz141.sys'
85 - '\segwindrvx64.sys'
86 - '\tdeio64.sys'
87 - '\ntiolib.sys'
88 - '\gtckmdfbs.sys'
89 - '\iomap64.sys'
90 - '\avalueio.sys'
91 - '\semav6msr.sys'
92 - '\lgdcatcher.sys'
93 - '\b.sys'
94 - '\hwdetectng.sys'
95 - '\nt4.sys'
96 - '\tgsafe.sys'
97 - '\mydrivers.sys'
98 - '\eneio64.sys'
99 - '\procexp.sys'
100 - '\viragt64.sys'
101 - '\fpcie2com.sys'
102 - '\lenovodiagnosticsdriver.sys'
103 - '\cp2x72c.sys'
104 - '\kerneld.amd64'
105 - '\bs_def64.sys'
106 - '\piddrv.sys'
107 - '\amifldrv64.sys'
108 - '\cpuz_x64.sys'
109 - '\proxy32.sys'
110 - '\wsdkd.sys'
111 - '\t8.sys'
112 - '\ucorew64.sys'
113 - '\atszio.sys'
114 - '\lmiinfo.sys'
115 - '\80.sys'
116 - '\nt3.sys'
117 - '\ngiodriver.sys'
118 - '\lv561av.sys'
119 - '\gpcidrv64.sys'
120 - '\fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys'
121 - '\rtport.sys'
122 - '\full.sys'
123 - '\viragt.sys'
124 - '\fiddrv64.sys'
125 - '\cupfixerx64.sys'
126 - '\cpupress.sys'
127 - '\hwos2ec7x64.sys'
128 - '\driver7-x86-withoutdbg.sys'
129 - '\asrdrv10.sys'
130 - '\nvflsh64.sys'
131 - '\asrrapidstartdrv.sys'
132 - '\tmcomm.sys'
133 - '\wiseunlo.sys'
134 - '\rwdrv.sys'
135 - '\asio64.sys'
136 - '\nvoclock.sys'
137 - '\panio.sys'
138 - '\mtcbsv64.sys'
139 - '\amigendrv64.sys'
140 - '\capcom.sys'
141 - '\netflt.sys'
142 - '\phlashnt.sys'
143 - '\dbutil_2_3.sys'
144 - '\ni.sys'
145 - '\ntiolib_x64.sys'
146 - '\atszio64.sys'
147 - '\lgcoretemp.sys'
148 - '\lha.sys'
149 - '\phymem64.sys'
150 - '\dbutildrv2.sys'
151 - '\asrdrv103.sys'
152 - '\rtcore64.sys'
153 - '\bs_hwmio64_w10.sys'
154 - '\ene.sys'
155 - '\winio64b.sys'
156 - '\piddrv64.sys'
157 - '\directio32.sys'
158 - '\monitor_win10_x64.sys'
159 - '\nt5.sys'
160 - '\asrsmartconnectdrv.sys'
161 - '\rtif.sys'
162 - '\atillk64.sys'
163 - '\directio.sys'
164 - '\asribdrv.sys'
165 - '\kfeco11x64.sys'
166 - '\citmdrv_ia64.sys'
167 - '\sysdrv3s.sys'
168 - '\amp.sys'
169 - '\vboxdrv.sys'
170 - '\adv64drv.sys'
171 - '\hostnt.sys'
172 - '\phymem_ext64.sys'
173 - '\echo_driver.sys'
174 - '\winiodrv.sys'
175 - '\pdfwkrnl.sys'
176 - '\glckio2.sys'
177 - '\asrdrv106.sys'
178 - '\nscm.sys'
179 - '\bs_rcio64.sys'
180 - '\ncpl.sys'
181 - '\sandra.sys'
182 - '\fiddrv.sys'
183 - '\hwrwdrv.sys'
184 - '\mhyprot.sys'
185 - '\asrsetupdrv103.sys'
186 - '\iqvw64.sys'
187 - '\b3.sys'
188 - '\ssport.sys'
189 - '\bs_def.sys'
190 - '\computerz.sys'
191 - '\windows8-10-32.sys'
192 - '\nstrwsk.sys'
193 - '\lurker.sys'
194 - '\bsmemx64.sys'
195 - '\wyproxy64.sys'
196 - '\asio.sys'
197 - '\t3.sys'
198 - '\cpuz.sys'
199 - '\rtkio.sys'
200 - '\driver7-x64.sys'
201 - '\netfilterdrv.sys'
202 - '\ioaccess.sys'
203 - '\testbone.sys'
204 - '\gameink.sys'
205 - '\kevp64.sys'
206 - '\mhyprot2.sys'
207 - '\se64a.sys'
208 - '\vboxusb.sys'
209 - '\windows7-32.sys'
210 - '\vproeventmonitor.sys'
211 - '\winio64a.sys'
212 - '\asrdrv101.sys'
213 - '\netproxydriver.sys'
214 - '\elrawdsk.sys'
215 - '\zam64.sys'
216 - '\cg6kwin2k.sys'
217 - '\asupio.sys'
218 - '\stdcdrvws64.sys'
219 - '\81.sys'
220 - '\citmdrv_amd64.sys'
221 - '\amdryzenmasterdriver.sys'
222 - '\vmdrv.sys'
223 - '\sysinfo.sys'
224 - '\alsysio64.sys'
225 - '\directio64.sys'
226 - '\rzpnk.sys'
227 - '\amdpowerprofiler.sys'
228 - '\truesight.sys'
229 - '\wirwadrv.sys'
230 - '\phymemx64.sys'
231 - '\msio64.sys'
232 - '\sepdrv3_1.sys'
233 - '\gametersafe.sys'
234 - '\bs_rcio.sys'
235 - '\d4.sys'
236 - '\t.sys'
237 - '\eio.sys'
238 - '\nt2.sys'
239 - '\winring0.sys'
240 - '\physmem.sys'
241 - '\libnicm.sys'
242 - '\msio32.sys'
243 - '\asrautochkupddrv.sys'
244 - '\asio32.sys'
245 - '\etdsupp.sys'
246 - '\smep_namco.sys'
247 - '\bandai.sys'
248 - '\d2.sys'
249 - '\magdrvamd64.sys'
250 - '\nvflash.sys'
251 - '\goad.sys'
252 - '\proxy64.sys'
253 - '\amsdk.sys'
254 - '\kbdcap64.sys'
255 - '\vdbsv64.sys'
256 - '\pchunter.sys'
257 - '\sysconp.sys'
258 - '\dh_kernel_10.sys'
259 - '\msrhook.sys'
260 - '\bedaisy.sys'
261 - '\dcr.sys'
262 - '\panmonflt.sys'
263 - '\bsmixp64.sys'
264 - '\otipcibus.sys'
265 - '\fidpcidrv.sys'
266 - '\kfeco10x64.sys'
267 - '\asrdrv104.sys'
268 - '\c.sys'
269 - '\tdklib64.sys'
270 - '\bsmix64.sys'
271 - '\bs_flash64.sys'
272 - '\stdcdrv64.sys'
273 - '\naldrv.sys'
274 - '\ctiio64.sys'
275 - '\bwrs.sys'
276 - '\nicm.sys'
277 - '\winio32b.sys'
278 - '\paniox64.sys'
279 - '\ecsiodriverx64.sys'
280 - '\iomem64.sys'
281 - '\fidpcidrv64.sys'
282 - '\aswarpot.sys'
283 - '\bs_rciow1064.sys'
284 - '\asmio64.sys'
285 - '\openlibsys.sys'
286 - '\viraglt64.sys'
287 - '\dbk64.sys'
288 - '\t7.sys'
289 - '\atlaccess.sys'
290 - '\nbiolib_x64.sys'
291 - '\smep_capcom.sys'
292 - '\iqvw64e.sys'
293 condition: selection
294falsepositives:
295 - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
296 - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
297level: low
References
-
BSMIx64.sys552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9Vulnerable driver2023-01-09ni.sysae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2Vulnerable driver2023-01-...
Read More
Related rules
- Malicious Driver Load
- Malicious Driver Load By Name
- Vulnerable Driver Load
- InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
- Suspicious Sysmon as Execution Parent