Vulnerable WinRing0 Driver Load

Nov 25, 2024 · attack.privilege-escalation attack.t1543.003 ·

Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation

Sigma rule (View on GitHub)

 1title: Vulnerable WinRing0 Driver Load
 2id: 1a42dfa6-6cb2-4df9-9b48-295be477e835
 3status: test
 4description: Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
 5references:
 6    - https://github.com/xmrig/xmrig/tree/master/bin/WinRing0
 7    - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
 8author: Florian Roth (Nextron Systems)
 9date: 2022-07-26
10modified: 2024-11-23
11tags:
12    - attack.privilege-escalation
13    - attack.t1543.003
14logsource:
15    product: windows
16    category: driver_load
17detection:
18    selection:
19        - Hashes|contains: 'IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7'
20        - ImageLoaded|endswith:
21              - '\WinRing0x64.sys'
22              - '\WinRing0.sys'
23              - '\WinRing0.dll'
24              - '\WinRing0x64.dll'
25              - '\winring00x64.sys'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

xmrig/bin/WinRing0 at master · xmrig/xmrig

RandomX, KawPow, CryptoNight and GhostRider unified CPU/GPU miner and RandomX benchmark - xmrig/xmrig

Read More
Driver-Based Attacks: Past and Present | Rapid7 Blog

In our analysis of CVE-2021-21551, we found that Dell’s update didn’t fix the write-what-where condition but only limited access to administrative users.

Read More

Vulnerable WinRing0 Driver Load

Sigma rule (View on GitHub)

References

xmrig/bin/WinRing0 at master · xmrig/xmrig

Driver-Based Attacks: Past and Present | Rapid7 Blog

Related rules