Vulnerable WinRing0 Driver Load
Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
Sigma rule (View on GitHub)
1title: Vulnerable WinRing0 Driver Load
2id: 1a42dfa6-6cb2-4df9-9b48-295be477e835
3status: test
4description: Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
5references:
6 - https://github.com/xmrig/xmrig/tree/master/bin/WinRing0
7 - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
8author: Florian Roth (Nextron Systems)
9date: 2022-07-26
10modified: 2024-11-23
11tags:
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1543.003
15logsource:
16 product: windows
17 category: driver_load
18detection:
19 selection:
20 - Hashes|contains: 'IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7'
21 - ImageLoaded|endswith:
22 - '\WinRing0x64.sys'
23 - '\WinRing0.sys'
24 - '\WinRing0.dll'
25 - '\WinRing0x64.dll'
26 - '\winring00x64.sys'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
RandomX, KawPow, CryptoNight and GhostRider unified CPU/GPU miner and RandomX benchmark - xmrig/xmrig
Read More -
In our analysis of CVE-2021-21551, we found that Dell’s update didn’t fix the write-what-where condition but only limited access to administrative users.
Read More
Related rules
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- CosmicDuke Service Installation
- Deny Service Access Using Security Descriptor Tampering Via Sc.EXE