Vulnerable Driver Load By Name
Detects the load of known vulnerable drivers via their names only.
Sigma rule (View on GitHub)
1title: Vulnerable Driver Load By Name
2id: c316eac1-f3d8-42da-ad1c-66dcec5ca787
3related:
4 - id: 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8
5 type: derived
6status: experimental
7description: Detects the load of known vulnerable drivers via their names only.
8references:
9 - https://loldrivers.io/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/10/03
12modified: 2023/04/06
13tags:
14 - attack.privilege_escalation
15 - attack.t1543.003
16 - attack.t1068
17logsource:
18 product: windows
19 category: driver_load
20detection:
21 selection:
22 ImageLoaded|endswith:
23 - '\mtcbsv64.sys'
24 - '\bs_def64.sys'
25 - '\gameink.sys'
26 - '\81.sys'
27 - '\bs_rcio.sys'
28 - '\sense5ext.sys'
29 - '\asrdrv10.sys'
30 - '\gvcidrv64.sys'
31 - '\wantd_5.sys'
32 - '\driver7-x86-withoutdbg.sys'
33 - '\atillk64.sys'
34 - '\lurker.sys'
35 - '\segwindrvx64.sys'
36 - '\nt3.sys'
37 - '\enetechio64.sys'
38 - '\asio64.sys'
39 - '\inpoutx64.sys'
40 - '\windows8-10-32.sys'
41 - '\directio.sys'
42 - '\rtkio.sys'
43 - '\corsairllaccess64.sys'
44 - '\nt6.sys'
45 - '\winflash64.sys'
46 - '\paniox64.sys'
47 - '\blackbonedrv10.sys'
48 - '\msio32.sys'
49 - '\fiddrv.sys'
50 - '\asio.sys'
51 - '\dbutildrv2.sys'
52 - '\my.sys'
53 - '\wantd_3.sys'
54 - '\winio32a.sys'
55 - '\wyproxy64.sys'
56 - '\ni.sys'
57 - '\bs_i2cio.sys'
58 - '\kprocesshacker.sys'
59 - '\protects.sys'
60 - '\phymem64.sys'
61 - '\proxy32.sys'
62 - '\b.sys'
63 - '\netproxydriver.sys'
64 - '\bs_hwmio64_w10.sys'
65 - '\physmem.sys'
66 - '\asrsmartconnectdrv.sys'
67 - '\b3.sys'
68 - '\monitor_win10_x64.sys'
69 - '\poortry2.sys'
70 - '\amdryzenmasterdriver.sys'
71 - '\t.sys'
72 - '\sandra.sys'
73 - '\bsmix64.sys'
74 - '\bs_i2c64.sys'
75 - '\wantd_6.sys'
76 - '\bs_rcio64.sys'
77 - '\zam64.sys'
78 - '\viragt64.sys'
79 - '\winio32b.sys'
80 - '\poortry1.sys'
81 - '\msio64.sys'
82 - '\winio32.sys'
83 - '\ncpl.sys'
84 - '\nchgbios2x64.sys'
85 - '\bwrsh.sys'
86 - '\panio.sys'
87 - '\lha.sys'
88 - '\ntbios.sys'
89 - '\blacklotus_driver.sys'
90 - '\fidpcidrv.sys'
91 - '\b4.sys'
92 - '\mhyprot3.sys'
93 - '\ucorew64.sys'
94 - '\hwos2ec7x64.sys'
95 - '\bsmemx64.sys'
96 - '\windows7-32.sys'
97 - '\asrdrv106.sys'
98 - '\elbycdio.sys'
99 - '\iomem64.sys'
100 - '\asupio.sys'
101 - '\otipcibus.sys'
102 - '\windows-xp-64.sys'
103 - '\aswarpot.sys'
104 - '\amdpowerprofiler.sys'
105 - '\d.sys'
106 - '\2.sys'
107 - '\tgsafe.sys'
108 - '\ntiolib_x64.sys'
109 - '\asrrapidstartdrv.sys'
110 - '\1.sys'
111 - '\hwos2ec10x64.sys'
112 - '\daxin_blank5.sys'
113 - '\viraglt64.sys'
114 - '\iomap64.sys'
115 - '\lv561av.sys'
116 - '\nscm.sys'
117 - '\c.sys'
118 - '\asribdrv.sys'
119 - '\b1.sys'
120 - '\eneio64.sys'
121 - '\capcom.sys'
122 - '\80.sys'
123 - '\asio32.sys'
124 - '\iobitunlocker.sys'
125 - '\zamguard64.sys'
126 - '\nstrwsk.sys'
127 - '\wiseunlo.sys'
128 - '\t7.sys'
129 - '\bs_hwmio64.sys'
130 - '\hostnt.sys'
131 - '\glckio2.sys'
132 - '\hpportiox64.sys'
133 - '\citmdrv_amd64.sys'
134 - '\kevp64.sys'
135 - '\bsmixp64.sys'
136 - '\nbiolib_x64.sys'
137 - '\d3.sys'
138 - '\full.sys'
139 - '\nvflash.sys'
140 - '\rtcore64.sys'
141 - '\speedfan.sys'
142 - '\fidpcidrv64.sys'
143 - '\hwrwdrv.sys'
144 - '\msrhook.sys'
145 - '\proxy64.sys'
146 - '\7.sys'
147 - '\winring0.sys'
148 - '\hw_sys'
149 - '\winio64b.sys'
150 - '\semav6msr64.sys'
151 - '\bandai.sys'
152 - '\piddrv.sys'
153 - '\t8.sys'
154 - '\asrdrv103.sys'
155 - '\adv64drv.sys'
156 - '\asrsetupdrv103.sys'
157 - '\bwrs.sys'
158 - '\d4.sys'
159 - '\dbk64.sys'
160 - '\fiddrv64.sys'
161 - '\goad.sys'
162 - '\gametersafe.sys'
163 - '\mhyprot2.sys'
164 - '\lenovodiagnosticsdriver.sys'
165 - '\netflt.sys'
166 - '\bw.sys'
167 - '\ntbios_2.sys'
168 - '\dbutil.sys'
169 - '\dh_kernel.sys'
170 - '\rtkiow8x64.sys'
171 - '\daxin_blank.sys'
172 - '\superbmc.sys'
173 - '\nodedriver.sys'
174 - '\cpuz141.sys'
175 - '\gftkyj64.sys'
176 - '\d2.sys'
177 - '\4.sys'
178 - '\dh_kernel_10.sys'
179 - '\naldrv.sys'
180 - '\winiodrv.sys'
181 - '\asmmap64.sys'
182 - '\smep_namco.sys'
183 - '\mhyprot.sys'
184 - '\iqvw64e.sys'
185 - '\nstr.sys'
186 - '\ntiolib.sys'
187 - '\pciecubed.sys'
188 - '\vmdrv.sys'
189 - '\daxin_blank2.sys'
190 - '\atszio.sys'
191 - '\agent64.sys'
192 - '\cpupress.sys'
193 - '\driver7-x86.sys'
194 - '\krpocesshacker.sys'
195 - '\asrdrv102.sys'
196 - '\aswvmm.sys'
197 - '\tmcomm.sys'
198 - '\bs_def.sys'
199 - '\bsmi.sys'
200 - '\alsysio64.sys'
201 - '\cpuz.sys'
202 - '\daxin_blank1.sys'
203 - '\amifldrv64.sys'
204 - '\rwdrv.sys'
205 - '\testbone.sys'
206 - '\winio64c.sys'
207 - '\winring0x64.sys'
208 - '\nt4.sys'
209 - '\procexp.sys'
210 - '\winio64.sys'
211 - '\se64a.sys'
212 - '\air_system10.sys'
213 - '\wantd.sys'
214 - '\wcpu.sys'
215 - '\nicm.sys'
216 - '\daxin_blank6.sys'
217 - '\kbdcap64.sys'
218 - '\lctka.sys'
219 - '\nvflsh64.sys'
220 - '\phlashnt.sys'
221 - '\viragt.sys'
222 - '\atszio64.sys'
223 - '\dbutil_2_3.sys'
224 - '\phymemx64.sys'
225 - '\wantd_4.sys'
226 - '\ndislan.sys'
227 - '\panmonfltx64.sys'
228 - '\t3.sys'
229 - '\panmonflt.sys'
230 - '\daxin_blank3.sys'
231 - '\gdrv.sys'
232 - '\smep_capcom.sys'
233 - '\wyproxy32.sys'
234 - '\black.sys'
235 - '\vboxdrv.sys'
236 - '\cpuz_x64.sys'
237 - '\poortry.sys'
238 - '\mydrivers.sys'
239 - '\winio64a.sys'
240 - '\openlibsys.sys'
241 - '\bs_flash64.sys'
242 - '\vproeventmonitor.sys'
243 - '\piddrv64.sys'
244 - '\wantd_2.sys'
245 - '\sysinfo.sys'
246 - '\asrdrv104.sys'
247 - '\netfilterdrv.sys'
248 - '\libnicm.sys'
249 - '\driver7-x64.sys'
250 - '\semav6msr.sys'
251 - '\pchunter.sys'
252 - '\asupio64.sys'
253 - '\rtkio64.sys'
254 - '\rzpnk.sys'
255 - '\magdrvamd64.sys'
256 - '\elrawdsk.sys'
257 - '\amp.sys'
258 - '\asrautochkupddrv.sys'
259 - '\lgdcatcher.sys'
260 - '\fairplaykd.sys'
261 - '\daxin_blank4.sys'
262 - '\rtkiow10x64.sys'
263 - '\citmdrv_ia64.sys'
264 - '\nt5.sys'
265 - '\asromgdrv.sys'
266 - '\nt2.sys'
267 - '\asrdrv101.sys'
268 condition: selection
269falsepositives:
270 - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
271 - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
272level: medium