-
Notifications
You must be signed in to change notification settings - Fork 126
/
Copy pathdriver_load_win_mal_drivers_names.yml
129 lines (129 loc) · 4.51 KB
/
driver_load_win_mal_drivers_names.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
title: Malicious Driver Load By Name
id: 39b64854-5497-4b57-a448-40977b8c9679
status: experimental
description: Detects loading of known malicious drivers via the file name of the drivers..
references:
- https://loldrivers.io/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/10/03
modified: 2025/01/13
tags:
- attack.privilege_escalation
- attack.t1543.003
- attack.t1068
logsource:
product: windows
category: driver_load
detection:
selection:
ImageLoaded|endswith:
- '\wfshbr64.sys'
- '\e29f6311ae87542b3d693c1f38e4e3ad.sys'
- '\driver_206006a1.sys'
- '\avkiller.sys'
- '\driver_16773074.sys'
- '\driver_d9f15d91.sys'
- '\mimidrv.sys'
- '\7.sys'
- '\driver_ef9d653a.sys'
- '\daxin_blank5.sys'
- '\poortry2.sys'
- '\air_system10.sys'
- '\ntbios_2.sys'
- '\daxin_blank.sys'
- '\reddriver.sys'
- '\driver_5d61e4ea.sys'
- '\poortry.sys'
- '\6771b13a53b9c7449d4891e427735ea2.sys'
- '\dkrtk.sys'
- '\kapchelper_x64.sys'
- '\lctka.sys'
- '\driver_090d409f.sys'
- '\gmer64.sys'
- '\fgme.sys'
- '\4118b86e490aed091b1a219dba45f332.sys'
- '\driver_5c308aed.sys'
- '\5a4fe297c7d42539303137b6d75b150d.sys'
- '\spwizimgvt.sys'
- '\daxin_blank1.sys'
- '\driver_b4f33ffe.sys'
- '\poortry1.sys'
- '\ktes.sys'
- '\driver_ab811ca5.sys'
- '\driver_981d03e1.sys'
- '\ef0e1725aaf0c6c972593f860531a2ea.sys'
- '\a9df5964635ef8bd567ae487c3d214c4.sys'
- '\driver_d1ea9e16.sys'
- '\driver_290bc782.sys'
- '\idmtdi.sys'
- '\driver_930da474.sys'
- '\driver_77225a99.sys'
- '\driver_89036534.sys'
- '\driver_e1123b59.sys'
- '\ndislan.sys'
- '\malicious.sys'
- '\blacklotus_driver.sys'
- '\daxin_blank6.sys'
- '\driver_4fc254af.sys'
- '\f.sys'
- '\driver_668c5bea.sys'
- '\be6318413160e589080df02bb3ca6e6a.sys'
- '\4.sys'
- '\driver_0a636606.sys'
- '\driver_85ca0dcd.sys'
- '\wantd.sys'
- '\ntbios.sys'
- '\nlslexicons0024uvn.sys'
- '\nqrmq.sys'
- '\mjj0ge.sys'
- '\wantd_3.sys'
- '\windivert.sys'
- '\driver_4f9b5a2f.sys'
- '\driver_bfcbc010.sys'
- '\driver_82d928c5.sys'
- '\driver_146b8f4f.sys'
- '\sense5ext.sys'
- '\daxin_blank3.sys'
- '\wantd_5.sys'
- '\driver_0ffb4081.sys'
- '\nodedriver.sys'
- '\driver_4d8bc539.sys'
- '\driver_1afc1d06.sys'
- '\wintapix.sys'
- '\prokiller64.sys'
- '\wantd_6.sys'
- '\gftkyj64.sys'
- '\daxin_blank2.sys'
- '\kt2.sys'
- '\pciecubed.sys'
- '\driver_1a74c2bd.sys'
- '\fur.sys'
- '\a26363e7b02b13f2b8d697abb90cd5c3.sys'
- '\typelibde.sys'
- '\2.sys'
- '\driver_fdd16a94.sys'
- '\wantd_2.sys'
- '\1fc7aeeff3ab19004d2e53eae8160ab1.sys'
- '\wantd_4.sys'
- '\driver_c3d48ddd.sys'
- '\4748696211bd56c2d93c21cab91e82a5.sys'
- '\mimikatz.sys'
- '\windbg.sys'
- '\msqpq.sys'
- '\mlgbbiicaihflrnh.sys'
- '\ktgn.sys'
- '\ktmutil7odm.sys'
- '\a236e7d654cd932b7d11cb604629a2d0.sys'
- '\e939448b28a4edc81f1f974cebf6e7d2.sys'
- '\driver_312c83a9.sys'
- '\driver_099ef491.sys'
- '\c94f405c5929cfcccc8ad00b42c95083.sys'
- '\daxin_blank4.sys'
- '\834761775.sys'
- '\telephonuafy.sys'
- '\driver_a6deeea6.sys'
condition: selection
falsepositives:
- False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
- If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
level: medium