Detectionmediumtest

Malicious Driver Load By Name

Detects loading of known malicious drivers via the file name of the drivers.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Mon Oct 03Updated Sat Dec 0239b64854-5497-4b57-a448-40977b8c9679windows

Log Source

WindowsDriver Load

ProductWindows← raw: windows

CategoryDriver Load← raw: driver_load

Detection Logic

detection:
    selection:
        ImageLoaded|endswith:
            - '\wfshbr64.sys'
            - '\ktmutil7odm.sys'
            - '\ktes.sys'
            - '\a26363e7b02b13f2b8d697abb90cd5c3.sys'
            - '\kt2.sys'
            - '\4748696211bd56c2d93c21cab91e82a5.sys'
            - '\malicious.sys'
            - '\a236e7d654cd932b7d11cb604629a2d0.sys'
            - '\spwizimgvt.sys'
            - '\c94f405c5929cfcccc8ad00b42c95083.sys'
            - '\fur.sys'
            - '\wantd.sys'
            - '\windbg.sys'
            - '\4118b86e490aed091b1a219dba45f332.sys'
            - '\gmer64.sys'
            - '\1fc7aeeff3ab19004d2e53eae8160ab1.sys'
            - '\poortry2.sys'
            - '\wintapix.sys'
            - '\daxin_blank6.sys'
            - '\6771b13a53b9c7449d4891e427735ea2.sys'
            - '\blacklotus_driver.sys'
            - '\air_system10.sys'
            - '\dkrtk.sys'
            - '\7.sys'
            - '\sense5ext.sys'
            - '\ktgn.sys'
            - '\ndislan.sys'
            - '\nlslexicons0024uvn.sys'
            - '\be6318413160e589080df02bb3ca6e6a.sys'
            - '\4.sys'
            - '\wantd_2.sys'
            - '\e29f6311ae87542b3d693c1f38e4e3ad.sys'
            - '\daxin_blank3.sys'
            - '\gftkyj64.sys'
            - '\daxin_blank2.sys'
            - '\wantd_4.sys'
            - '\reddriver.sys'
            - '\834761775.sys'
            - '\mlgbbiicaihflrnh.sys'
            - '\mjj0ge.sys'
            - '\daxin_blank.sys'
            - '\daxin_blank5.sys'
            - '\poortry1.sys'
            - '\msqpq.sys'
            - '\mimidrv.sys'
            - '\e939448b28a4edc81f1f974cebf6e7d2.sys'
            - '\prokiller64.sys'
            - '\nodedriver.sys'
            - '\wantd_3.sys'
            - '\lctka.sys'
            - '\kapchelper_x64.sys'
            - '\daxin_blank4.sys'
            - '\a9df5964635ef8bd567ae487c3d214c4.sys'
            - '\wantd_6.sys'
            - '\ntbios.sys'
            - '\wantd_5.sys'
            - '\pciecubed.sys'
            - '\mimikatz.sys'
            - '\nqrmq.sys'
            - '\2.sys'
            - '\poortry.sys'
            - '\ntbios_2.sys'
            - '\fgme.sys'
            - '\telephonuafy.sys'
            - '\typelibde.sys'
            - '\daxin_blank1.sys'
            - '\ef0e1725aaf0c6c972593f860531a2ea.sys'
            - '\5a4fe297c7d42539303137b6d75b150d.sys'
    condition: selection

False Positives

False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.

If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)

References

Resolving title…

loldrivers.io

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0004 · Privilege Escalation

Techniques

T1068 · Exploitation for Privilege Escalation

Sub-techniques

T1543.003 · Windows Service

Rule Metadata