LoFP LoFP / false positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. so always make sure that the driver being loaded is the legitimate one and the non vulnerable version.

Techniques

Sample rules

Malicious Driver Load By Name

Description

Detects loading of known malicious drivers via the file name of the drivers.

Detection logic

condition: selection
selection:
  ImageLoaded|endswith:
  - \wfshbr64.sys
  - \ktmutil7odm.sys
  - \ktes.sys
  - \a26363e7b02b13f2b8d697abb90cd5c3.sys
  - \kt2.sys
  - \4748696211bd56c2d93c21cab91e82a5.sys
  - \malicious.sys
  - \a236e7d654cd932b7d11cb604629a2d0.sys
  - \spwizimgvt.sys
  - \c94f405c5929cfcccc8ad00b42c95083.sys
  - \fur.sys
  - \wantd.sys
  - \windbg.sys
  - \4118b86e490aed091b1a219dba45f332.sys
  - \gmer64.sys
  - \1fc7aeeff3ab19004d2e53eae8160ab1.sys
  - \poortry2.sys
  - \wintapix.sys
  - \daxin_blank6.sys
  - \6771b13a53b9c7449d4891e427735ea2.sys
  - \blacklotus_driver.sys
  - \air_system10.sys
  - \dkrtk.sys
  - \7.sys
  - \sense5ext.sys
  - \ktgn.sys
  - \ndislan.sys
  - \nlslexicons0024uvn.sys
  - \be6318413160e589080df02bb3ca6e6a.sys
  - \4.sys
  - \wantd_2.sys
  - \e29f6311ae87542b3d693c1f38e4e3ad.sys
  - \daxin_blank3.sys
  - \gftkyj64.sys
  - \daxin_blank2.sys
  - \wantd_4.sys
  - \reddriver.sys
  - \834761775.sys
  - \mlgbbiicaihflrnh.sys
  - \mjj0ge.sys
  - \daxin_blank.sys
  - \daxin_blank5.sys
  - \poortry1.sys
  - \msqpq.sys
  - \mimidrv.sys
  - \e939448b28a4edc81f1f974cebf6e7d2.sys
  - \prokiller64.sys
  - \nodedriver.sys
  - \wantd_3.sys
  - \lctka.sys
  - \kapchelper_x64.sys
  - \daxin_blank4.sys
  - \a9df5964635ef8bd567ae487c3d214c4.sys
  - \wantd_6.sys
  - \ntbios.sys
  - \wantd_5.sys
  - \pciecubed.sys
  - \mimikatz.sys
  - \nqrmq.sys
  - \2.sys
  - \poortry.sys
  - \ntbios_2.sys
  - \fgme.sys
  - \telephonuafy.sys
  - \typelibde.sys
  - \daxin_blank1.sys
  - \ef0e1725aaf0c6c972593f860531a2ea.sys
  - \5a4fe297c7d42539303137b6d75b150d.sys

Vulnerable Driver Load By Name

Description

Detects the load of known vulnerable drivers via the file name of the drivers.

Detection logic

condition: selection
selection:
  ImageLoaded|endswith:
  - \panmonfltx64.sys
  - \dbutil.sys
  - \fairplaykd.sys
  - \nvaudio.sys
  - \superbmc.sys
  - \bsmi.sys
  - \smarteio64.sys
  - \bwrsh.sys
  - \agent64.sys
  - \asmmap64.sys
  - \dellbios.sys
  - \chaos-rootkit.sys
  - \wcpu.sys
  - \dh_kernel.sys
  - \sbiosio64.sys
  - \bw.sys
  - \asrdrv102.sys
  - \nt6.sys
  - \mhyprot3.sys
  - \winio64c.sys
  - \asupio64.sys
  - \blackbonedrv10.sys
  - \d.sys
  - \driver7-x86.sys
  - \sfdrvx32.sys
  - \enetechio64.sys
  - \gdrv.sys
  - \sysinfodetectorx64.sys
  - \fh-ethercat_dio.sys
  - \asromgdrv.sys
  - \my.sys
  - \dcprotect.sys
  - \irec.sys
  - \gedevdrv.sys
  - \winio32a.sys
  - \gvcidrv64.sys
  - \winio32.sys
  - \bs_hwmio64.sys
  - \nstr.sys
  - \inpoutx64.sys
  - \hw.sys
  - \winio64.sys
  - \hpportiox64.sys
  - \iobitunlocker.sys
  - \b1.sys
  - \aoddriver.sys
  - \elbycdio.sys
  - \protects.sys
  - \kprocesshacker.sys
  - \speedfan.sys
  - \radhwmgr.sys
  - \iscflashx64.sys
  - \black.sys
  - \b4.sys
  - \hwos2ec10x64.sys
  - \winflash64.sys
  - \corsairllaccess64.sys
  - \bs_i2cio.sys
  - \d3.sys
  - \windows-xp-64.sys
  - \aswvmm.sys
  - \bs_i2c64.sys
  - \1.sys
  - \nchgbios2x64.sys
  - \cpuz141.sys
  - \segwindrvx64.sys
  - \tdeio64.sys
  - \ntiolib.sys
  - \gtckmdfbs.sys
  - \iomap64.sys
  - \avalueio.sys
  - \semav6msr.sys
  - \lgdcatcher.sys
  - \b.sys
  - \hwdetectng.sys
  - \nt4.sys
  - \tgsafe.sys
  - \mydrivers.sys
  - \eneio64.sys
  - \procexp.sys
  - \viragt64.sys
  - \fpcie2com.sys
  - \lenovodiagnosticsdriver.sys
  - \cp2x72c.sys
  - \kerneld.amd64
  - \bs_def64.sys
  - \piddrv.sys
  - \amifldrv64.sys
  - \cpuz_x64.sys
  - \proxy32.sys
  - \wsdkd.sys
  - \t8.sys
  - \ucorew64.sys
  - \atszio.sys
  - \lmiinfo.sys
  - \80.sys
  - \nt3.sys
  - \ngiodriver.sys
  - \lv561av.sys
  - \gpcidrv64.sys
  - \fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys
  - \rtport.sys
  - \full.sys
  - \viragt.sys
  - \fiddrv64.sys
  - \cupfixerx64.sys
  - \cpupress.sys
  - \hwos2ec7x64.sys
  - \driver7-x86-withoutdbg.sys
  - \asrdrv10.sys
  - \nvflsh64.sys
  - \asrrapidstartdrv.sys
  - \tmcomm.sys
  - \wiseunlo.sys
  - \rwdrv.sys
  - \asio64.sys
  - \nvoclock.sys
  - \panio.sys
  - \mtcbsv64.sys
  - \amigendrv64.sys
  - \capcom.sys
  - \netflt.sys
  - \phlashnt.sys
  - \dbutil_2_3.sys
  - \ni.sys
  - \ntiolib_x64.sys
  - \atszio64.sys
  - \lgcoretemp.sys
  - \lha.sys
  - \phymem64.sys
  - \dbutildrv2.sys
  - \asrdrv103.sys
  - \rtcore64.sys
  - \bs_hwmio64_w10.sys
  - \ene.sys
  - \winio64b.sys
  - \piddrv64.sys
  - \directio32.sys
  - \monitor_win10_x64.sys
  - \nt5.sys
  - \asrsmartconnectdrv.sys
  - \rtif.sys
  - \atillk64.sys
  - \directio.sys
  - \asribdrv.sys
  - \kfeco11x64.sys
  - \citmdrv_ia64.sys
  - \sysdrv3s.sys
  - \amp.sys
  - \vboxdrv.sys
  - \adv64drv.sys
  - \hostnt.sys
  - \phymem_ext64.sys
  - \echo_driver.sys
  - \winiodrv.sys
  - \pdfwkrnl.sys
  - \glckio2.sys
  - \asrdrv106.sys
  - \nscm.sys
  - \bs_rcio64.sys
  - \ncpl.sys
  - \sandra.sys
  - \fiddrv.sys
  - \hwrwdrv.sys
  - \mhyprot.sys
  - \asrsetupdrv103.sys
  - \iqvw64.sys
  - \b3.sys
  - \ssport.sys
  - \bs_def.sys
  - \computerz.sys
  - \windows8-10-32.sys
  - \nstrwsk.sys
  - \lurker.sys
  - \bsmemx64.sys
  - \wyproxy64.sys
  - \asio.sys
  - \t3.sys
  - \cpuz.sys
  - \rtkio.sys
  - \driver7-x64.sys
  - \netfilterdrv.sys
  - \ioaccess.sys
  - \testbone.sys
  - \gameink.sys
  - \kevp64.sys
  - \mhyprot2.sys
  - \se64a.sys
  - \vboxusb.sys
  - \windows7-32.sys
  - \vproeventmonitor.sys
  - \winio64a.sys
  - \asrdrv101.sys
  - \netproxydriver.sys
  - \elrawdsk.sys
  - \zam64.sys
  - \cg6kwin2k.sys
  - \asupio.sys
  - \stdcdrvws64.sys
  - \81.sys
  - \citmdrv_amd64.sys
  - \amdryzenmasterdriver.sys
  - \vmdrv.sys
  - \sysinfo.sys
  - \alsysio64.sys
  - \directio64.sys
  - \rzpnk.sys
  - \amdpowerprofiler.sys
  - \truesight.sys
  - \wirwadrv.sys
  - \phymemx64.sys
  - \msio64.sys
  - \sepdrv3_1.sys
  - \gametersafe.sys
  - \bs_rcio.sys
  - \d4.sys
  - \t.sys
  - \eio.sys
  - \nt2.sys
  - \winring0.sys
  - \physmem.sys
  - \libnicm.sys
  - \msio32.sys
  - \asrautochkupddrv.sys
  - \asio32.sys
  - \etdsupp.sys
  - \smep_namco.sys
  - \bandai.sys
  - \d2.sys
  - \magdrvamd64.sys
  - \nvflash.sys
  - \goad.sys
  - \proxy64.sys
  - \amsdk.sys
  - \kbdcap64.sys
  - \vdbsv64.sys
  - \pchunter.sys
  - \sysconp.sys
  - \dh_kernel_10.sys
  - \msrhook.sys
  - \bedaisy.sys
  - \dcr.sys
  - \panmonflt.sys
  - \bsmixp64.sys
  - \otipcibus.sys
  - \fidpcidrv.sys
  - \kfeco10x64.sys
  - \asrdrv104.sys
  - \c.sys
  - \tdklib64.sys
  - \bsmix64.sys
  - \bs_flash64.sys
  - \stdcdrv64.sys
  - \naldrv.sys
  - \ctiio64.sys
  - \bwrs.sys
  - \nicm.sys
  - \winio32b.sys
  - \paniox64.sys
  - \ecsiodriverx64.sys
  - \iomem64.sys
  - \fidpcidrv64.sys
  - \aswarpot.sys
  - \bs_rciow1064.sys
  - \asmio64.sys
  - \openlibsys.sys
  - \viraglt64.sys
  - \dbk64.sys
  - \t7.sys
  - \atlaccess.sys
  - \nbiolib_x64.sys
  - \smep_capcom.sys
  - \iqvw64e.sys