Vulnerable Driver Load By Name
Detects the load of known vulnerable drivers via the file name of the drivers.
Sigma rule (View on GitHub)
1title: Vulnerable Driver Load By Name
2id: 72cd00d6-490c-4650-86ff-1d11f491daa1
3status: test
4description: Detects the load of known vulnerable drivers via the file name of the drivers.
5references:
6 - https://loldrivers.io/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-10-03
9modified: 2023-12-02
10tags:
11 - attack.privilege-escalation
12 - attack.t1543.003
13 - attack.t1068
14logsource:
15 product: windows
16 category: driver_load
17detection:
18 selection:
19 ImageLoaded|endswith:
20 - '\panmonfltx64.sys'
21 - '\dbutil.sys'
22 - '\fairplaykd.sys'
23 - '\nvaudio.sys'
24 - '\superbmc.sys'
25 - '\bsmi.sys'
26 - '\smarteio64.sys'
27 - '\bwrsh.sys'
28 - '\agent64.sys'
29 - '\asmmap64.sys'
30 - '\dellbios.sys'
31 - '\chaos-rootkit.sys'
32 - '\wcpu.sys'
33 - '\dh_kernel.sys'
34 - '\sbiosio64.sys'
35 - '\bw.sys'
36 - '\asrdrv102.sys'
37 - '\nt6.sys'
38 - '\mhyprot3.sys'
39 - '\winio64c.sys'
40 - '\asupio64.sys'
41 - '\blackbonedrv10.sys'
42 - '\d.sys'
43 - '\driver7-x86.sys'
44 - '\sfdrvx32.sys'
45 - '\enetechio64.sys'
46 - '\gdrv.sys'
47 - '\sysinfodetectorx64.sys'
48 - '\fh-ethercat_dio.sys'
49 - '\asromgdrv.sys'
50 - '\my.sys'
51 - '\dcprotect.sys'
52 - '\irec.sys'
53 - '\gedevdrv.sys'
54 - '\winio32a.sys'
55 - '\gvcidrv64.sys'
56 - '\winio32.sys'
57 - '\bs_hwmio64.sys'
58 - '\nstr.sys'
59 - '\inpoutx64.sys'
60 - '\hw.sys'
61 - '\winio64.sys'
62 - '\hpportiox64.sys'
63 - '\iobitunlocker.sys'
64 - '\b1.sys'
65 - '\aoddriver.sys'
66 - '\elbycdio.sys'
67 - '\protects.sys'
68 - '\kprocesshacker.sys'
69 - '\speedfan.sys'
70 - '\radhwmgr.sys'
71 - '\iscflashx64.sys'
72 - '\black.sys'
73 - '\b4.sys'
74 - '\hwos2ec10x64.sys'
75 - '\winflash64.sys'
76 - '\corsairllaccess64.sys'
77 - '\bs_i2cio.sys'
78 - '\d3.sys'
79 - '\windows-xp-64.sys'
80 - '\aswvmm.sys'
81 - '\bs_i2c64.sys'
82 - '\1.sys'
83 - '\nchgbios2x64.sys'
84 - '\cpuz141.sys'
85 - '\segwindrvx64.sys'
86 - '\tdeio64.sys'
87 - '\ntiolib.sys'
88 - '\gtckmdfbs.sys'
89 - '\iomap64.sys'
90 - '\avalueio.sys'
91 - '\semav6msr.sys'
92 - '\lgdcatcher.sys'
93 - '\b.sys'
94 - '\hwdetectng.sys'
95 - '\nt4.sys'
96 - '\tgsafe.sys'
97 - '\mydrivers.sys'
98 - '\eneio64.sys'
99 - '\procexp.sys'
100 - '\viragt64.sys'
101 - '\fpcie2com.sys'
102 - '\lenovodiagnosticsdriver.sys'
103 - '\cp2x72c.sys'
104 - '\kerneld.amd64'
105 - '\bs_def64.sys'
106 - '\piddrv.sys'
107 - '\amifldrv64.sys'
108 - '\cpuz_x64.sys'
109 - '\proxy32.sys'
110 - '\wsdkd.sys'
111 - '\t8.sys'
112 - '\ucorew64.sys'
113 - '\atszio.sys'
114 - '\lmiinfo.sys'
115 - '\80.sys'
116 - '\nt3.sys'
117 - '\ngiodriver.sys'
118 - '\lv561av.sys'
119 - '\gpcidrv64.sys'
120 - '\fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys'
121 - '\rtport.sys'
122 - '\full.sys'
123 - '\viragt.sys'
124 - '\fiddrv64.sys'
125 - '\cupfixerx64.sys'
126 - '\cpupress.sys'
127 - '\hwos2ec7x64.sys'
128 - '\driver7-x86-withoutdbg.sys'
129 - '\asrdrv10.sys'
130 - '\nvflsh64.sys'
131 - '\asrrapidstartdrv.sys'
132 - '\tmcomm.sys'
133 - '\wiseunlo.sys'
134 - '\rwdrv.sys'
135 - '\asio64.sys'
136 - '\nvoclock.sys'
137 - '\panio.sys'
138 - '\mtcbsv64.sys'
139 - '\amigendrv64.sys'
140 - '\capcom.sys'
141 - '\netflt.sys'
142 - '\phlashnt.sys'
143 - '\dbutil_2_3.sys'
144 - '\ni.sys'
145 - '\ntiolib_x64.sys'
146 - '\atszio64.sys'
147 - '\lgcoretemp.sys'
148 - '\lha.sys'
149 - '\phymem64.sys'
150 - '\dbutildrv2.sys'
151 - '\asrdrv103.sys'
152 - '\rtcore64.sys'
153 - '\bs_hwmio64_w10.sys'
154 - '\ene.sys'
155 - '\winio64b.sys'
156 - '\piddrv64.sys'
157 - '\directio32.sys'
158 - '\monitor_win10_x64.sys'
159 - '\nt5.sys'
160 - '\asrsmartconnectdrv.sys'
161 - '\rtif.sys'
162 - '\atillk64.sys'
163 - '\directio.sys'
164 - '\asribdrv.sys'
165 - '\kfeco11x64.sys'
166 - '\citmdrv_ia64.sys'
167 - '\sysdrv3s.sys'
168 - '\amp.sys'
169 - '\vboxdrv.sys'
170 - '\adv64drv.sys'
171 - '\hostnt.sys'
172 - '\phymem_ext64.sys'
173 - '\echo_driver.sys'
174 - '\winiodrv.sys'
175 - '\pdfwkrnl.sys'
176 - '\glckio2.sys'
177 - '\asrdrv106.sys'
178 - '\nscm.sys'
179 - '\bs_rcio64.sys'
180 - '\ncpl.sys'
181 - '\sandra.sys'
182 - '\fiddrv.sys'
183 - '\hwrwdrv.sys'
184 - '\mhyprot.sys'
185 - '\asrsetupdrv103.sys'
186 - '\iqvw64.sys'
187 - '\b3.sys'
188 - '\ssport.sys'
189 - '\bs_def.sys'
190 - '\computerz.sys'
191 - '\windows8-10-32.sys'
192 - '\nstrwsk.sys'
193 - '\lurker.sys'
194 - '\bsmemx64.sys'
195 - '\wyproxy64.sys'
196 - '\asio.sys'
197 - '\t3.sys'
198 - '\cpuz.sys'
199 - '\rtkio.sys'
200 - '\driver7-x64.sys'
201 - '\netfilterdrv.sys'
202 - '\ioaccess.sys'
203 - '\testbone.sys'
204 - '\gameink.sys'
205 - '\kevp64.sys'
206 - '\mhyprot2.sys'
207 - '\se64a.sys'
208 - '\vboxusb.sys'
209 - '\windows7-32.sys'
210 - '\vproeventmonitor.sys'
211 - '\winio64a.sys'
212 - '\asrdrv101.sys'
213 - '\netproxydriver.sys'
214 - '\elrawdsk.sys'
215 - '\zam64.sys'
216 - '\cg6kwin2k.sys'
217 - '\asupio.sys'
218 - '\stdcdrvws64.sys'
219 - '\81.sys'
220 - '\citmdrv_amd64.sys'
221 - '\amdryzenmasterdriver.sys'
222 - '\vmdrv.sys'
223 - '\sysinfo.sys'
224 - '\alsysio64.sys'
225 - '\directio64.sys'
226 - '\rzpnk.sys'
227 - '\amdpowerprofiler.sys'
228 - '\truesight.sys'
229 - '\wirwadrv.sys'
230 - '\phymemx64.sys'
231 - '\msio64.sys'
232 - '\sepdrv3_1.sys'
233 - '\gametersafe.sys'
234 - '\bs_rcio.sys'
235 - '\d4.sys'
236 - '\t.sys'
237 - '\eio.sys'
238 - '\nt2.sys'
239 - '\winring0.sys'
240 - '\physmem.sys'
241 - '\libnicm.sys'
242 - '\msio32.sys'
243 - '\asrautochkupddrv.sys'
244 - '\asio32.sys'
245 - '\etdsupp.sys'
246 - '\smep_namco.sys'
247 - '\bandai.sys'
248 - '\d2.sys'
249 - '\magdrvamd64.sys'
250 - '\nvflash.sys'
251 - '\goad.sys'
252 - '\proxy64.sys'
253 - '\amsdk.sys'
254 - '\kbdcap64.sys'
255 - '\vdbsv64.sys'
256 - '\pchunter.sys'
257 - '\sysconp.sys'
258 - '\dh_kernel_10.sys'
259 - '\msrhook.sys'
260 - '\bedaisy.sys'
261 - '\dcr.sys'
262 - '\panmonflt.sys'
263 - '\bsmixp64.sys'
264 - '\otipcibus.sys'
265 - '\fidpcidrv.sys'
266 - '\kfeco10x64.sys'
267 - '\asrdrv104.sys'
268 - '\c.sys'
269 - '\tdklib64.sys'
270 - '\bsmix64.sys'
271 - '\bs_flash64.sys'
272 - '\stdcdrv64.sys'
273 - '\naldrv.sys'
274 - '\ctiio64.sys'
275 - '\bwrs.sys'
276 - '\nicm.sys'
277 - '\winio32b.sys'
278 - '\paniox64.sys'
279 - '\ecsiodriverx64.sys'
280 - '\iomem64.sys'
281 - '\fidpcidrv64.sys'
282 - '\aswarpot.sys'
283 - '\bs_rciow1064.sys'
284 - '\asmio64.sys'
285 - '\openlibsys.sys'
286 - '\viraglt64.sys'
287 - '\dbk64.sys'
288 - '\t7.sys'
289 - '\atlaccess.sys'
290 - '\nbiolib_x64.sys'
291 - '\smep_capcom.sys'
292 - '\iqvw64e.sys'
293 condition: selection
294falsepositives:
295 - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
296 - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
297level: low
References
-
SeasunProtect.sys507b07b0dc0e638b65b4a4d11a462b35439c746d42337b9888927bf994176102Vulnerable2024-09-11WINIODrv.sys3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099Vulnerable driver202...
Read More
Related rules
- Malicious Driver Load
- Malicious Driver Load By Name
- Vulnerable Driver Load
- InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
- Suspicious Sysmon as Execution Parent