Vulnerable Driver Load By Name

Detects the load of known vulnerable drivers via their names only.

Sigma rule (View on GitHub)

  1title: Vulnerable Driver Load By Name
  2id: c316eac1-f3d8-42da-ad1c-66dcec5ca787
  3related:
  4    - id: 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8
  5      type: derived
  6status: experimental
  7description: Detects the load of known vulnerable drivers via their names only.
  8references:
  9    - https://loldrivers.io/
 10author: Nasreddine Bencherchali (Nextron Systems)
 11date: 2022/10/03
 12modified: 2023/04/06
 13tags:
 14    - attack.privilege_escalation
 15    - attack.t1543.003
 16    - attack.t1068
 17logsource:
 18    product: windows
 19    category: driver_load
 20detection:
 21    selection:
 22        ImageLoaded|endswith:
 23            - '\mtcbsv64.sys'
 24            - '\bs_def64.sys'
 25            - '\gameink.sys'
 26            - '\81.sys'
 27            - '\bs_rcio.sys'
 28            - '\sense5ext.sys'
 29            - '\asrdrv10.sys'
 30            - '\gvcidrv64.sys'
 31            - '\wantd_5.sys'
 32            - '\driver7-x86-withoutdbg.sys'
 33            - '\atillk64.sys'
 34            - '\lurker.sys'
 35            - '\segwindrvx64.sys'
 36            - '\nt3.sys'
 37            - '\enetechio64.sys'
 38            - '\asio64.sys'
 39            - '\inpoutx64.sys'
 40            - '\windows8-10-32.sys'
 41            - '\directio.sys'
 42            - '\rtkio.sys'
 43            - '\corsairllaccess64.sys'
 44            - '\nt6.sys'
 45            - '\winflash64.sys'
 46            - '\paniox64.sys'
 47            - '\blackbonedrv10.sys'
 48            - '\msio32.sys'
 49            - '\fiddrv.sys'
 50            - '\asio.sys'
 51            - '\dbutildrv2.sys'
 52            - '\my.sys'
 53            - '\wantd_3.sys'
 54            - '\winio32a.sys'
 55            - '\wyproxy64.sys'
 56            - '\ni.sys'
 57            - '\bs_i2cio.sys'
 58            - '\kprocesshacker.sys'
 59            - '\protects.sys'
 60            - '\phymem64.sys'
 61            - '\proxy32.sys'
 62            - '\b.sys'
 63            - '\netproxydriver.sys'
 64            - '\bs_hwmio64_w10.sys'
 65            - '\physmem.sys'
 66            - '\asrsmartconnectdrv.sys'
 67            - '\b3.sys'
 68            - '\monitor_win10_x64.sys'
 69            - '\poortry2.sys'
 70            - '\amdryzenmasterdriver.sys'
 71            - '\t.sys'
 72            - '\sandra.sys'
 73            - '\bsmix64.sys'
 74            - '\bs_i2c64.sys'
 75            - '\wantd_6.sys'
 76            - '\bs_rcio64.sys'
 77            - '\zam64.sys'
 78            - '\viragt64.sys'
 79            - '\winio32b.sys'
 80            - '\poortry1.sys'
 81            - '\msio64.sys'
 82            - '\winio32.sys'
 83            - '\ncpl.sys'
 84            - '\nchgbios2x64.sys'
 85            - '\bwrsh.sys'
 86            - '\panio.sys'
 87            - '\lha.sys'
 88            - '\ntbios.sys'
 89            - '\blacklotus_driver.sys'
 90            - '\fidpcidrv.sys'
 91            - '\b4.sys'
 92            - '\mhyprot3.sys'
 93            - '\ucorew64.sys'
 94            - '\hwos2ec7x64.sys'
 95            - '\bsmemx64.sys'
 96            - '\windows7-32.sys'
 97            - '\asrdrv106.sys'
 98            - '\elbycdio.sys'
 99            - '\iomem64.sys'
100            - '\asupio.sys'
101            - '\otipcibus.sys'
102            - '\windows-xp-64.sys'
103            - '\aswarpot.sys'
104            - '\amdpowerprofiler.sys'
105            - '\d.sys'
106            - '\2.sys'
107            - '\tgsafe.sys'
108            - '\ntiolib_x64.sys'
109            - '\asrrapidstartdrv.sys'
110            - '\1.sys'
111            - '\hwos2ec10x64.sys'
112            - '\daxin_blank5.sys'
113            - '\viraglt64.sys'
114            - '\iomap64.sys'
115            - '\lv561av.sys'
116            - '\nscm.sys'
117            - '\c.sys'
118            - '\asribdrv.sys'
119            - '\b1.sys'
120            - '\eneio64.sys'
121            - '\capcom.sys'
122            - '\80.sys'
123            - '\asio32.sys'
124            - '\iobitunlocker.sys'
125            - '\zamguard64.sys'
126            - '\nstrwsk.sys'
127            - '\wiseunlo.sys'
128            - '\t7.sys'
129            - '\bs_hwmio64.sys'
130            - '\hostnt.sys'
131            - '\glckio2.sys'
132            - '\hpportiox64.sys'
133            - '\citmdrv_amd64.sys'
134            - '\kevp64.sys'
135            - '\bsmixp64.sys'
136            - '\nbiolib_x64.sys'
137            - '\d3.sys'
138            - '\full.sys'
139            - '\nvflash.sys'
140            - '\rtcore64.sys'
141            - '\speedfan.sys'
142            - '\fidpcidrv64.sys'
143            - '\hwrwdrv.sys'
144            - '\msrhook.sys'
145            - '\proxy64.sys'
146            - '\7.sys'
147            - '\winring0.sys'
148            - '\hw_sys'
149            - '\winio64b.sys'
150            - '\semav6msr64.sys'
151            - '\bandai.sys'
152            - '\piddrv.sys'
153            - '\t8.sys'
154            - '\asrdrv103.sys'
155            - '\adv64drv.sys'
156            - '\asrsetupdrv103.sys'
157            - '\bwrs.sys'
158            - '\d4.sys'
159            - '\dbk64.sys'
160            - '\fiddrv64.sys'
161            - '\goad.sys'
162            - '\gametersafe.sys'
163            - '\mhyprot2.sys'
164            - '\lenovodiagnosticsdriver.sys'
165            - '\netflt.sys'
166            - '\bw.sys'
167            - '\ntbios_2.sys'
168            - '\dbutil.sys'
169            - '\dh_kernel.sys'
170            - '\rtkiow8x64.sys'
171            - '\daxin_blank.sys'
172            - '\superbmc.sys'
173            - '\nodedriver.sys'
174            - '\cpuz141.sys'
175            - '\gftkyj64.sys'
176            - '\d2.sys'
177            - '\4.sys'
178            - '\dh_kernel_10.sys'
179            - '\naldrv.sys'
180            - '\winiodrv.sys'
181            - '\asmmap64.sys'
182            - '\smep_namco.sys'
183            - '\mhyprot.sys'
184            - '\iqvw64e.sys'
185            - '\nstr.sys'
186            - '\ntiolib.sys'
187            - '\pciecubed.sys'
188            - '\vmdrv.sys'
189            - '\daxin_blank2.sys'
190            - '\atszio.sys'
191            - '\agent64.sys'
192            - '\cpupress.sys'
193            - '\driver7-x86.sys'
194            - '\krpocesshacker.sys'
195            - '\asrdrv102.sys'
196            - '\aswvmm.sys'
197            - '\tmcomm.sys'
198            - '\bs_def.sys'
199            - '\bsmi.sys'
200            - '\alsysio64.sys'
201            - '\cpuz.sys'
202            - '\daxin_blank1.sys'
203            - '\amifldrv64.sys'
204            - '\rwdrv.sys'
205            - '\testbone.sys'
206            - '\winio64c.sys'
207            - '\winring0x64.sys'
208            - '\nt4.sys'
209            - '\procexp.sys'
210            - '\winio64.sys'
211            - '\se64a.sys'
212            - '\air_system10.sys'
213            - '\wantd.sys'
214            - '\wcpu.sys'
215            - '\nicm.sys'
216            - '\daxin_blank6.sys'
217            - '\kbdcap64.sys'
218            - '\lctka.sys'
219            - '\nvflsh64.sys'
220            - '\phlashnt.sys'
221            - '\viragt.sys'
222            - '\atszio64.sys'
223            - '\dbutil_2_3.sys'
224            - '\phymemx64.sys'
225            - '\wantd_4.sys'
226            - '\ndislan.sys'
227            - '\panmonfltx64.sys'
228            - '\t3.sys'
229            - '\panmonflt.sys'
230            - '\daxin_blank3.sys'
231            - '\gdrv.sys'
232            - '\smep_capcom.sys'
233            - '\wyproxy32.sys'
234            - '\black.sys'
235            - '\vboxdrv.sys'
236            - '\cpuz_x64.sys'
237            - '\poortry.sys'
238            - '\mydrivers.sys'
239            - '\winio64a.sys'
240            - '\openlibsys.sys'
241            - '\bs_flash64.sys'
242            - '\vproeventmonitor.sys'
243            - '\piddrv64.sys'
244            - '\wantd_2.sys'
245            - '\sysinfo.sys'
246            - '\asrdrv104.sys'
247            - '\netfilterdrv.sys'
248            - '\libnicm.sys'
249            - '\driver7-x64.sys'
250            - '\semav6msr.sys'
251            - '\pchunter.sys'
252            - '\asupio64.sys'
253            - '\rtkio64.sys'
254            - '\rzpnk.sys'
255            - '\magdrvamd64.sys'
256            - '\elrawdsk.sys'
257            - '\amp.sys'
258            - '\asrautochkupddrv.sys'
259            - '\lgdcatcher.sys'
260            - '\fairplaykd.sys'
261            - '\daxin_blank4.sys'
262            - '\rtkiow10x64.sys'
263            - '\citmdrv_ia64.sys'
264            - '\nt5.sys'
265            - '\asromgdrv.sys'
266            - '\nt2.sys'
267            - '\asrdrv101.sys'
268    condition: selection
269falsepositives:
270    - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
271    - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
272level: medium

Related rules

to-top