Vulnerable Driver Load By Name
Detects the load of known vulnerable drivers via the file name of the drivers.
Sigma rule (View on GitHub)
1title: Vulnerable Driver Load By Name
2id: 72cd00d6-490c-4650-86ff-1d11f491daa1
3status: test
4description: Detects the load of known vulnerable drivers via the file name of the drivers.
5references:
6 - https://loldrivers.io/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-10-03
9modified: 2023-12-02
10tags:
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.t1543.003
14 - attack.t1068
15logsource:
16 product: windows
17 category: driver_load
18detection:
19 selection:
20 ImageLoaded|endswith:
21 - '\panmonfltx64.sys'
22 - '\dbutil.sys'
23 - '\fairplaykd.sys'
24 - '\nvaudio.sys'
25 - '\superbmc.sys'
26 - '\bsmi.sys'
27 - '\smarteio64.sys'
28 - '\bwrsh.sys'
29 - '\agent64.sys'
30 - '\asmmap64.sys'
31 - '\dellbios.sys'
32 - '\chaos-rootkit.sys'
33 - '\wcpu.sys'
34 - '\dh_kernel.sys'
35 - '\sbiosio64.sys'
36 - '\bw.sys'
37 - '\asrdrv102.sys'
38 - '\nt6.sys'
39 - '\mhyprot3.sys'
40 - '\winio64c.sys'
41 - '\asupio64.sys'
42 - '\blackbonedrv10.sys'
43 - '\d.sys'
44 - '\driver7-x86.sys'
45 - '\sfdrvx32.sys'
46 - '\enetechio64.sys'
47 - '\gdrv.sys'
48 - '\sysinfodetectorx64.sys'
49 - '\fh-ethercat_dio.sys'
50 - '\asromgdrv.sys'
51 - '\my.sys'
52 - '\dcprotect.sys'
53 - '\irec.sys'
54 - '\gedevdrv.sys'
55 - '\winio32a.sys'
56 - '\gvcidrv64.sys'
57 - '\winio32.sys'
58 - '\bs_hwmio64.sys'
59 - '\nstr.sys'
60 - '\inpoutx64.sys'
61 - '\hw.sys'
62 - '\winio64.sys'
63 - '\hpportiox64.sys'
64 - '\iobitunlocker.sys'
65 - '\b1.sys'
66 - '\aoddriver.sys'
67 - '\elbycdio.sys'
68 - '\protects.sys'
69 - '\kprocesshacker.sys'
70 - '\speedfan.sys'
71 - '\radhwmgr.sys'
72 - '\iscflashx64.sys'
73 - '\black.sys'
74 - '\b4.sys'
75 - '\hwos2ec10x64.sys'
76 - '\winflash64.sys'
77 - '\corsairllaccess64.sys'
78 - '\bs_i2cio.sys'
79 - '\d3.sys'
80 - '\windows-xp-64.sys'
81 - '\aswvmm.sys'
82 - '\bs_i2c64.sys'
83 - '\1.sys'
84 - '\nchgbios2x64.sys'
85 - '\cpuz141.sys'
86 - '\segwindrvx64.sys'
87 - '\tdeio64.sys'
88 - '\ntiolib.sys'
89 - '\gtckmdfbs.sys'
90 - '\iomap64.sys'
91 - '\avalueio.sys'
92 - '\semav6msr.sys'
93 - '\lgdcatcher.sys'
94 - '\b.sys'
95 - '\hwdetectng.sys'
96 - '\nt4.sys'
97 - '\tgsafe.sys'
98 - '\mydrivers.sys'
99 - '\eneio64.sys'
100 - '\procexp.sys'
101 - '\viragt64.sys'
102 - '\fpcie2com.sys'
103 - '\lenovodiagnosticsdriver.sys'
104 - '\cp2x72c.sys'
105 - '\kerneld.amd64'
106 - '\bs_def64.sys'
107 - '\piddrv.sys'
108 - '\amifldrv64.sys'
109 - '\cpuz_x64.sys'
110 - '\proxy32.sys'
111 - '\wsdkd.sys'
112 - '\t8.sys'
113 - '\ucorew64.sys'
114 - '\atszio.sys'
115 - '\lmiinfo.sys'
116 - '\80.sys'
117 - '\nt3.sys'
118 - '\ngiodriver.sys'
119 - '\lv561av.sys'
120 - '\gpcidrv64.sys'
121 - '\fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys'
122 - '\rtport.sys'
123 - '\full.sys'
124 - '\viragt.sys'
125 - '\fiddrv64.sys'
126 - '\cupfixerx64.sys'
127 - '\cpupress.sys'
128 - '\hwos2ec7x64.sys'
129 - '\driver7-x86-withoutdbg.sys'
130 - '\asrdrv10.sys'
131 - '\nvflsh64.sys'
132 - '\asrrapidstartdrv.sys'
133 - '\tmcomm.sys'
134 - '\wiseunlo.sys'
135 - '\rwdrv.sys'
136 - '\asio64.sys'
137 - '\nvoclock.sys'
138 - '\panio.sys'
139 - '\mtcbsv64.sys'
140 - '\amigendrv64.sys'
141 - '\capcom.sys'
142 - '\netflt.sys'
143 - '\phlashnt.sys'
144 - '\dbutil_2_3.sys'
145 - '\ni.sys'
146 - '\ntiolib_x64.sys'
147 - '\atszio64.sys'
148 - '\lgcoretemp.sys'
149 - '\lha.sys'
150 - '\phymem64.sys'
151 - '\dbutildrv2.sys'
152 - '\asrdrv103.sys'
153 - '\rtcore64.sys'
154 - '\bs_hwmio64_w10.sys'
155 - '\ene.sys'
156 - '\winio64b.sys'
157 - '\piddrv64.sys'
158 - '\directio32.sys'
159 - '\monitor_win10_x64.sys'
160 - '\nt5.sys'
161 - '\asrsmartconnectdrv.sys'
162 - '\rtif.sys'
163 - '\atillk64.sys'
164 - '\directio.sys'
165 - '\asribdrv.sys'
166 - '\kfeco11x64.sys'
167 - '\citmdrv_ia64.sys'
168 - '\sysdrv3s.sys'
169 - '\amp.sys'
170 - '\vboxdrv.sys'
171 - '\adv64drv.sys'
172 - '\hostnt.sys'
173 - '\phymem_ext64.sys'
174 - '\echo_driver.sys'
175 - '\winiodrv.sys'
176 - '\pdfwkrnl.sys'
177 - '\glckio2.sys'
178 - '\asrdrv106.sys'
179 - '\nscm.sys'
180 - '\bs_rcio64.sys'
181 - '\ncpl.sys'
182 - '\sandra.sys'
183 - '\fiddrv.sys'
184 - '\hwrwdrv.sys'
185 - '\mhyprot.sys'
186 - '\asrsetupdrv103.sys'
187 - '\iqvw64.sys'
188 - '\b3.sys'
189 - '\ssport.sys'
190 - '\bs_def.sys'
191 - '\computerz.sys'
192 - '\windows8-10-32.sys'
193 - '\nstrwsk.sys'
194 - '\lurker.sys'
195 - '\bsmemx64.sys'
196 - '\wyproxy64.sys'
197 - '\asio.sys'
198 - '\t3.sys'
199 - '\cpuz.sys'
200 - '\rtkio.sys'
201 - '\driver7-x64.sys'
202 - '\netfilterdrv.sys'
203 - '\ioaccess.sys'
204 - '\testbone.sys'
205 - '\gameink.sys'
206 - '\kevp64.sys'
207 - '\mhyprot2.sys'
208 - '\se64a.sys'
209 - '\vboxusb.sys'
210 - '\windows7-32.sys'
211 - '\vproeventmonitor.sys'
212 - '\winio64a.sys'
213 - '\asrdrv101.sys'
214 - '\netproxydriver.sys'
215 - '\elrawdsk.sys'
216 - '\zam64.sys'
217 - '\cg6kwin2k.sys'
218 - '\asupio.sys'
219 - '\stdcdrvws64.sys'
220 - '\81.sys'
221 - '\citmdrv_amd64.sys'
222 - '\amdryzenmasterdriver.sys'
223 - '\vmdrv.sys'
224 - '\sysinfo.sys'
225 - '\alsysio64.sys'
226 - '\directio64.sys'
227 - '\rzpnk.sys'
228 - '\amdpowerprofiler.sys'
229 - '\truesight.sys'
230 - '\wirwadrv.sys'
231 - '\phymemx64.sys'
232 - '\msio64.sys'
233 - '\sepdrv3_1.sys'
234 - '\gametersafe.sys'
235 - '\bs_rcio.sys'
236 - '\d4.sys'
237 - '\t.sys'
238 - '\eio.sys'
239 - '\nt2.sys'
240 - '\winring0.sys'
241 - '\physmem.sys'
242 - '\libnicm.sys'
243 - '\msio32.sys'
244 - '\asrautochkupddrv.sys'
245 - '\asio32.sys'
246 - '\etdsupp.sys'
247 - '\smep_namco.sys'
248 - '\bandai.sys'
249 - '\d2.sys'
250 - '\magdrvamd64.sys'
251 - '\nvflash.sys'
252 - '\goad.sys'
253 - '\proxy64.sys'
254 - '\amsdk.sys'
255 - '\kbdcap64.sys'
256 - '\vdbsv64.sys'
257 - '\pchunter.sys'
258 - '\sysconp.sys'
259 - '\dh_kernel_10.sys'
260 - '\msrhook.sys'
261 - '\bedaisy.sys'
262 - '\dcr.sys'
263 - '\panmonflt.sys'
264 - '\bsmixp64.sys'
265 - '\otipcibus.sys'
266 - '\fidpcidrv.sys'
267 - '\kfeco10x64.sys'
268 - '\asrdrv104.sys'
269 - '\c.sys'
270 - '\tdklib64.sys'
271 - '\bsmix64.sys'
272 - '\bs_flash64.sys'
273 - '\stdcdrv64.sys'
274 - '\naldrv.sys'
275 - '\ctiio64.sys'
276 - '\bwrs.sys'
277 - '\nicm.sys'
278 - '\winio32b.sys'
279 - '\paniox64.sys'
280 - '\ecsiodriverx64.sys'
281 - '\iomem64.sys'
282 - '\fidpcidrv64.sys'
283 - '\aswarpot.sys'
284 - '\bs_rciow1064.sys'
285 - '\asmio64.sys'
286 - '\openlibsys.sys'
287 - '\viraglt64.sys'
288 - '\dbk64.sys'
289 - '\t7.sys'
290 - '\atlaccess.sys'
291 - '\nbiolib_x64.sys'
292 - '\smep_capcom.sys'
293 - '\iqvw64e.sys'
294 condition: selection
295falsepositives:
296 - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
297 - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
298level: low
References
-
Chaos-Rootkit.sys0ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44dbVulnerable driver2023-06-05filnk.sysae55a0e93e5ef3948adecf20fa55b0f555dcf40589917a5bfbaa732075f0cc12Vulnerable drive...
Read More
Related rules
- Malicious Driver Load
- Malicious Driver Load By Name
- Vulnerable Driver Load
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- CobaltStrike Service Installations - Security