Vulnerable HackSys Extreme Vulnerable Driver Load
Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
Sigma rule (View on GitHub)
1title: Vulnerable HackSys Extreme Vulnerable Driver Load
2id: 295c9289-acee-4503-a571-8eacaef36b28
3status: test
4description: Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
5references:
6 - https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-18
9modified: 2024-11-23
10tags:
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.t1543.003
14logsource:
15 product: windows
16 category: driver_load
17detection:
18 selection:
19 - ImageLoaded|endswith: '\HEVD.sys'
20 - Hashes|contains:
21 - 'IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0
22 - 'IMPHASH=c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0
23 condition: selection
24falsepositives:
25 - Unlikely
26level: high
References
-
HackSys Extreme Vulnerable Driver (HEVD) - Windows & Linux - hacksysteam/HackSysExtremeVulnerableDriver
Read More
Related rules
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- CosmicDuke Service Installation
- Deny Service Access Using Security Descriptor Tampering Via Sc.EXE