Vulnerable HackSys Extreme Vulnerable Driver Load
Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
Sigma rule (View on GitHub)
1title: Vulnerable HackSys Extreme Vulnerable Driver Load
2id: 295c9289-acee-4503-a571-8eacaef36b28
3status: test
4description: Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
5references:
6 - https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-18
9modified: 2022-11-19
10tags:
11 - attack.privilege-escalation
12 - attack.t1543.003
13logsource:
14 product: windows
15 category: driver_load
16detection:
17 selection_name:
18 ImageLoaded|endswith: '\HEVD.sys'
19 selection_sysmon:
20 Hashes|contains:
21 - 'IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0
22 - 'IMPHASH=c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0
23 selection_other:
24 Imphash:
25 - 'f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0
26 - 'c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0
27 condition: 1 of selection*
28falsepositives:
29 - Unlikely
30level: high
References
-
HackSys Extreme Vulnerable Driver (HEVD) - Windows & Linux - hacksysteam/HackSysExtremeVulnerableDriver
Read More
Related rules
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Driver Load From A Temporary Directory
- Moriya Rootkit - System
- Moriya Rootkit File Created