Vulnerable HackSys Extreme Vulnerable Driver Load
Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
Sigma rule (View on GitHub)
1title: Vulnerable HackSys Extreme Vulnerable Driver Load
2id: 295c9289-acee-4503-a571-8eacaef36b28
3status: test
4description: Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
5references:
6 - https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/18
9modified: 2022/11/19
10tags:
11 - attack.privilege_escalation
12 - attack.t1543.003
13logsource:
14 product: windows
15 category: driver_load
16detection:
17 selection_name:
18 ImageLoaded|endswith: '\HEVD.sys'
19 selection_sysmon:
20 Hashes|contains:
21 - 'IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0
22 - 'IMPHASH=c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0
23 selection_other:
24 Imphash:
25 - 'f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0
26 - 'c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0
27 condition: 1 of selection*
28falsepositives:
29 - Unlikely
30level: high
References
Related rules
- New PDQDeploy Service - Server Side
- Moriya Rootkit - System
- New Kernel Driver Via SC.EXE
- New PDQDeploy Service - Client Side
- Sliver C2 Default Service Installation