Vulnerable WinRing0 Driver Load
Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
Sigma rule (View on GitHub)
1title: Vulnerable WinRing0 Driver Load
2id: 1a42dfa6-6cb2-4df9-9b48-295be477e835
3status: test
4description: Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
5references:
6 - https://github.com/xmrig/xmrig/tree/master/bin/WinRing0
7 - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
8author: Florian Roth (Nextron Systems)
9date: 2022/07/26
10modified: 2022/11/19
11tags:
12 - attack.privilege_escalation
13 - attack.t1543.003
14logsource:
15 product: windows
16 category: driver_load
17detection:
18 selection_name:
19 ImageLoaded|endswith:
20 - '\WinRing0x64.sys'
21 - '\WinRing0.sys'
22 - '\WinRing0.dll'
23 - '\WinRing0x64.dll'
24 - '\winring00x64.sys'
25 selection_sysmon:
26 Hashes|contains: 'IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7'
27 selection_other:
28 Imphash: 'd41fa95d4642dc981f10de36f4dc8cd7'
29 condition: 1 of selection*
30falsepositives:
31 - Unknown
32level: high
References
-
RandomX, KawPow, CryptoNight and GhostRider unified CPU/GPU miner and RandomX benchmark - xmrig/xmrig
Read More -
In our analysis of CVE-2021-21551, we found that Dell’s update didn’t fix the write-what-where condition but only limited access to administrative users.
Read More
Related rules
- Moriya Rootkit - System
- New Kernel Driver Via SC.EXE
- New PDQDeploy Service - Client Side
- Sliver C2 Default Service Installation
- Suspicious New Service Creation