Vulnerable Driver Load By Name
Detects the load of known vulnerable drivers via the file name of the drivers.
Sigma rule (View on GitHub)
1title: Vulnerable Driver Load By Name
2id: 72cd00d6-490c-4650-86ff-1d11f491daa1
3status: experimental
4description: Detects the load of known vulnerable drivers via the file name of the drivers.
5references:
6 - https://loldrivers.io/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/10/03
9modified: 2023/12/02
10tags:
11 - attack.privilege_escalation
12 - attack.t1543.003
13 - attack.t1068
14logsource:
15 product: windows
16 category: driver_load
17detection:
18 selection:
19 ImageLoaded|endswith:
20 - '\panmonfltx64.sys'
21 - '\dbutil.sys'
22 - '\fairplaykd.sys'
23 - '\nvaudio.sys'
24 - '\superbmc.sys'
25 - '\bsmi.sys'
26 - '\smarteio64.sys'
27 - '\bwrsh.sys'
28 - '\agent64.sys'
29 - '\asmmap64.sys'
30 - '\dellbios.sys'
31 - '\chaos-rootkit.sys'
32 - '\wcpu.sys'
33 - '\dh_kernel.sys'
34 - '\sbiosio64.sys'
35 - '\bw.sys'
36 - '\asrdrv102.sys'
37 - '\nt6.sys'
38 - '\mhyprot3.sys'
39 - '\winio64c.sys'
40 - '\asupio64.sys'
41 - '\blackbonedrv10.sys'
42 - '\d.sys'
43 - '\driver7-x86.sys'
44 - '\sfdrvx32.sys'
45 - '\enetechio64.sys'
46 - '\gdrv.sys'
47 - '\sysinfodetectorx64.sys'
48 - '\fh-ethercat_dio.sys'
49 - '\asromgdrv.sys'
50 - '\my.sys'
51 - '\dcprotect.sys'
52 - '\irec.sys'
53 - '\gedevdrv.sys'
54 - '\winio32a.sys'
55 - '\gvcidrv64.sys'
56 - '\winio32.sys'
57 - '\bs_hwmio64.sys'
58 - '\nstr.sys'
59 - '\inpoutx64.sys'
60 - '\hw.sys'
61 - '\winio64.sys'
62 - '\hpportiox64.sys'
63 - '\iobitunlocker.sys'
64 - '\b1.sys'
65 - '\aoddriver.sys'
66 - '\elbycdio.sys'
67 - '\protects.sys'
68 - '\kprocesshacker.sys'
69 - '\speedfan.sys'
70 - '\radhwmgr.sys'
71 - '\iscflashx64.sys'
72 - '\black.sys'
73 - '\b4.sys'
74 - '\hwos2ec10x64.sys'
75 - '\winflash64.sys'
76 - '\corsairllaccess64.sys'
77 - '\bs_i2cio.sys'
78 - '\d3.sys'
79 - '\windows-xp-64.sys'
80 - '\aswvmm.sys'
81 - '\bs_i2c64.sys'
82 - '\1.sys'
83 - '\nchgbios2x64.sys'
84 - '\cpuz141.sys'
85 - '\segwindrvx64.sys'
86 - '\tdeio64.sys'
87 - '\ntiolib.sys'
88 - '\gtckmdfbs.sys'
89 - '\iomap64.sys'
90 - '\avalueio.sys'
91 - '\semav6msr.sys'
92 - '\lgdcatcher.sys'
93 - '\b.sys'
94 - '\hwdetectng.sys'
95 - '\nt4.sys'
96 - '\tgsafe.sys'
97 - '\mydrivers.sys'
98 - '\eneio64.sys'
99 - '\procexp.sys'
100 - '\viragt64.sys'
101 - '\fpcie2com.sys'
102 - '\lenovodiagnosticsdriver.sys'
103 - '\cp2x72c.sys'
104 - '\kerneld.amd64'
105 - '\bs_def64.sys'
106 - '\piddrv.sys'
107 - '\amifldrv64.sys'
108 - '\cpuz_x64.sys'
109 - '\proxy32.sys'
110 - '\wsdkd.sys'
111 - '\t8.sys'
112 - '\ucorew64.sys'
113 - '\atszio.sys'
114 - '\lmiinfo.sys'
115 - '\80.sys'
116 - '\nt3.sys'
117 - '\ngiodriver.sys'
118 - '\lv561av.sys'
119 - '\gpcidrv64.sys'
120 - '\fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys'
121 - '\rtport.sys'
122 - '\full.sys'
123 - '\viragt.sys'
124 - '\fiddrv64.sys'
125 - '\cupfixerx64.sys'
126 - '\cpupress.sys'
127 - '\hwos2ec7x64.sys'
128 - '\driver7-x86-withoutdbg.sys'
129 - '\asrdrv10.sys'
130 - '\nvflsh64.sys'
131 - '\asrrapidstartdrv.sys'
132 - '\tmcomm.sys'
133 - '\wiseunlo.sys'
134 - '\rwdrv.sys'
135 - '\asio64.sys'
136 - '\nvoclock.sys'
137 - '\panio.sys'
138 - '\mtcbsv64.sys'
139 - '\amigendrv64.sys'
140 - '\capcom.sys'
141 - '\netflt.sys'
142 - '\phlashnt.sys'
143 - '\dbutil_2_3.sys'
144 - '\ni.sys'
145 - '\ntiolib_x64.sys'
146 - '\atszio64.sys'
147 - '\lgcoretemp.sys'
148 - '\lha.sys'
149 - '\phymem64.sys'
150 - '\dbutildrv2.sys'
151 - '\asrdrv103.sys'
152 - '\rtcore64.sys'
153 - '\bs_hwmio64_w10.sys'
154 - '\ene.sys'
155 - '\winio64b.sys'
156 - '\piddrv64.sys'
157 - '\directio32.sys'
158 - '\monitor_win10_x64.sys'
159 - '\nt5.sys'
160 - '\asrsmartconnectdrv.sys'
161 - '\rtif.sys'
162 - '\atillk64.sys'
163 - '\directio.sys'
164 - '\asribdrv.sys'
165 - '\kfeco11x64.sys'
166 - '\citmdrv_ia64.sys'
167 - '\sysdrv3s.sys'
168 - '\amp.sys'
169 - '\vboxdrv.sys'
170 - '\adv64drv.sys'
171 - '\hostnt.sys'
172 - '\phymem_ext64.sys'
173 - '\echo_driver.sys'
174 - '\winiodrv.sys'
175 - '\pdfwkrnl.sys'
176 - '\glckio2.sys'
177 - '\asrdrv106.sys'
178 - '\nscm.sys'
179 - '\bs_rcio64.sys'
180 - '\ncpl.sys'
181 - '\sandra.sys'
182 - '\fiddrv.sys'
183 - '\hwrwdrv.sys'
184 - '\mhyprot.sys'
185 - '\asrsetupdrv103.sys'
186 - '\iqvw64.sys'
187 - '\b3.sys'
188 - '\ssport.sys'
189 - '\bs_def.sys'
190 - '\computerz.sys'
191 - '\windows8-10-32.sys'
192 - '\nstrwsk.sys'
193 - '\lurker.sys'
194 - '\bsmemx64.sys'
195 - '\wyproxy64.sys'
196 - '\asio.sys'
197 - '\t3.sys'
198 - '\cpuz.sys'
199 - '\rtkio.sys'
200 - '\driver7-x64.sys'
201 - '\netfilterdrv.sys'
202 - '\ioaccess.sys'
203 - '\testbone.sys'
204 - '\gameink.sys'
205 - '\kevp64.sys'
206 - '\mhyprot2.sys'
207 - '\se64a.sys'
208 - '\vboxusb.sys'
209 - '\windows7-32.sys'
210 - '\vproeventmonitor.sys'
211 - '\winio64a.sys'
212 - '\asrdrv101.sys'
213 - '\netproxydriver.sys'
214 - '\elrawdsk.sys'
215 - '\zam64.sys'
216 - '\cg6kwin2k.sys'
217 - '\asupio.sys'
218 - '\stdcdrvws64.sys'
219 - '\81.sys'
220 - '\citmdrv_amd64.sys'
221 - '\amdryzenmasterdriver.sys'
222 - '\vmdrv.sys'
223 - '\sysinfo.sys'
224 - '\alsysio64.sys'
225 - '\directio64.sys'
226 - '\rzpnk.sys'
227 - '\amdpowerprofiler.sys'
228 - '\truesight.sys'
229 - '\wirwadrv.sys'
230 - '\phymemx64.sys'
231 - '\msio64.sys'
232 - '\sepdrv3_1.sys'
233 - '\gametersafe.sys'
234 - '\bs_rcio.sys'
235 - '\d4.sys'
236 - '\t.sys'
237 - '\eio.sys'
238 - '\nt2.sys'
239 - '\winring0.sys'
240 - '\physmem.sys'
241 - '\libnicm.sys'
242 - '\msio32.sys'
243 - '\asrautochkupddrv.sys'
244 - '\asio32.sys'
245 - '\etdsupp.sys'
246 - '\smep_namco.sys'
247 - '\bandai.sys'
248 - '\d2.sys'
249 - '\magdrvamd64.sys'
250 - '\nvflash.sys'
251 - '\goad.sys'
252 - '\proxy64.sys'
253 - '\amsdk.sys'
254 - '\kbdcap64.sys'
255 - '\vdbsv64.sys'
256 - '\pchunter.sys'
257 - '\sysconp.sys'
258 - '\dh_kernel_10.sys'
259 - '\msrhook.sys'
260 - '\bedaisy.sys'
261 - '\dcr.sys'
262 - '\panmonflt.sys'
263 - '\bsmixp64.sys'
264 - '\otipcibus.sys'
265 - '\fidpcidrv.sys'
266 - '\kfeco10x64.sys'
267 - '\asrdrv104.sys'
268 - '\c.sys'
269 - '\tdklib64.sys'
270 - '\bsmix64.sys'
271 - '\bs_flash64.sys'
272 - '\stdcdrv64.sys'
273 - '\naldrv.sys'
274 - '\ctiio64.sys'
275 - '\bwrs.sys'
276 - '\nicm.sys'
277 - '\winio32b.sys'
278 - '\paniox64.sys'
279 - '\ecsiodriverx64.sys'
280 - '\iomem64.sys'
281 - '\fidpcidrv64.sys'
282 - '\aswarpot.sys'
283 - '\bs_rciow1064.sys'
284 - '\asmio64.sys'
285 - '\openlibsys.sys'
286 - '\viraglt64.sys'
287 - '\dbk64.sys'
288 - '\t7.sys'
289 - '\atlaccess.sys'
290 - '\nbiolib_x64.sys'
291 - '\smep_capcom.sys'
292 - '\iqvw64e.sys'
293 condition: selection
294falsepositives:
295 - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
296 - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
297level: low
References
-
asas.sys6165491e8391eac9c0e3b9a2a31e1692a567c16cbfa36d7a88c401ffae1f6c63Vulnerable drivers2023-07-22magdrvamd64.sysbe54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57Vulnerable driver2...
Read More
Related rules
- Malicious Driver Load
- Malicious Driver Load By Name
- Vulnerable Driver Load
- ProcessHacker Privilege Elevation
- Nimbuspwn Exploitation