Techniques
Sample rules
Malicious Driver Load By Name
- source: sigma
- technicques:
- t1068
- t1543
- t1543.003
Description
Detects loading of known malicious drivers via the file name of the drivers.
Detection logic
condition: selection
selection:
ImageLoaded|endswith:
- \wfshbr64.sys
- \ktmutil7odm.sys
- \ktes.sys
- \a26363e7b02b13f2b8d697abb90cd5c3.sys
- \kt2.sys
- \4748696211bd56c2d93c21cab91e82a5.sys
- \malicious.sys
- \a236e7d654cd932b7d11cb604629a2d0.sys
- \spwizimgvt.sys
- \c94f405c5929cfcccc8ad00b42c95083.sys
- \fur.sys
- \wantd.sys
- \windbg.sys
- \4118b86e490aed091b1a219dba45f332.sys
- \gmer64.sys
- \1fc7aeeff3ab19004d2e53eae8160ab1.sys
- \poortry2.sys
- \wintapix.sys
- \daxin_blank6.sys
- \6771b13a53b9c7449d4891e427735ea2.sys
- \blacklotus_driver.sys
- \air_system10.sys
- \dkrtk.sys
- \7.sys
- \sense5ext.sys
- \ktgn.sys
- \ndislan.sys
- \nlslexicons0024uvn.sys
- \be6318413160e589080df02bb3ca6e6a.sys
- \4.sys
- \wantd_2.sys
- \e29f6311ae87542b3d693c1f38e4e3ad.sys
- \daxin_blank3.sys
- \gftkyj64.sys
- \daxin_blank2.sys
- \wantd_4.sys
- \reddriver.sys
- \834761775.sys
- \mlgbbiicaihflrnh.sys
- \mjj0ge.sys
- \daxin_blank.sys
- \daxin_blank5.sys
- \poortry1.sys
- \msqpq.sys
- \mimidrv.sys
- \e939448b28a4edc81f1f974cebf6e7d2.sys
- \prokiller64.sys
- \nodedriver.sys
- \wantd_3.sys
- \lctka.sys
- \kapchelper_x64.sys
- \daxin_blank4.sys
- \a9df5964635ef8bd567ae487c3d214c4.sys
- \wantd_6.sys
- \ntbios.sys
- \wantd_5.sys
- \pciecubed.sys
- \mimikatz.sys
- \nqrmq.sys
- \2.sys
- \poortry.sys
- \ntbios_2.sys
- \fgme.sys
- \telephonuafy.sys
- \typelibde.sys
- \daxin_blank1.sys
- \ef0e1725aaf0c6c972593f860531a2ea.sys
- \5a4fe297c7d42539303137b6d75b150d.sys
Vulnerable Driver Load By Name
- source: sigma
- technicques:
- t1068
- t1543
- t1543.003
Description
Detects the load of known vulnerable drivers via the file name of the drivers.
Detection logic
condition: selection
selection:
ImageLoaded|endswith:
- \panmonfltx64.sys
- \dbutil.sys
- \fairplaykd.sys
- \nvaudio.sys
- \superbmc.sys
- \bsmi.sys
- \smarteio64.sys
- \bwrsh.sys
- \agent64.sys
- \asmmap64.sys
- \dellbios.sys
- \chaos-rootkit.sys
- \wcpu.sys
- \dh_kernel.sys
- \sbiosio64.sys
- \bw.sys
- \asrdrv102.sys
- \nt6.sys
- \mhyprot3.sys
- \winio64c.sys
- \asupio64.sys
- \blackbonedrv10.sys
- \d.sys
- \driver7-x86.sys
- \sfdrvx32.sys
- \enetechio64.sys
- \gdrv.sys
- \sysinfodetectorx64.sys
- \fh-ethercat_dio.sys
- \asromgdrv.sys
- \my.sys
- \dcprotect.sys
- \irec.sys
- \gedevdrv.sys
- \winio32a.sys
- \gvcidrv64.sys
- \winio32.sys
- \bs_hwmio64.sys
- \nstr.sys
- \inpoutx64.sys
- \hw.sys
- \winio64.sys
- \hpportiox64.sys
- \iobitunlocker.sys
- \b1.sys
- \aoddriver.sys
- \elbycdio.sys
- \protects.sys
- \kprocesshacker.sys
- \speedfan.sys
- \radhwmgr.sys
- \iscflashx64.sys
- \black.sys
- \b4.sys
- \hwos2ec10x64.sys
- \winflash64.sys
- \corsairllaccess64.sys
- \bs_i2cio.sys
- \d3.sys
- \windows-xp-64.sys
- \aswvmm.sys
- \bs_i2c64.sys
- \1.sys
- \nchgbios2x64.sys
- \cpuz141.sys
- \segwindrvx64.sys
- \tdeio64.sys
- \ntiolib.sys
- \gtckmdfbs.sys
- \iomap64.sys
- \avalueio.sys
- \semav6msr.sys
- \lgdcatcher.sys
- \b.sys
- \hwdetectng.sys
- \nt4.sys
- \tgsafe.sys
- \mydrivers.sys
- \eneio64.sys
- \procexp.sys
- \viragt64.sys
- \fpcie2com.sys
- \lenovodiagnosticsdriver.sys
- \cp2x72c.sys
- \kerneld.amd64
- \bs_def64.sys
- \piddrv.sys
- \amifldrv64.sys
- \cpuz_x64.sys
- \proxy32.sys
- \wsdkd.sys
- \t8.sys
- \ucorew64.sys
- \atszio.sys
- \lmiinfo.sys
- \80.sys
- \nt3.sys
- \ngiodriver.sys
- \lv561av.sys
- \gpcidrv64.sys
- \fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys
- \rtport.sys
- \full.sys
- \viragt.sys
- \fiddrv64.sys
- \cupfixerx64.sys
- \cpupress.sys
- \hwos2ec7x64.sys
- \driver7-x86-withoutdbg.sys
- \asrdrv10.sys
- \nvflsh64.sys
- \asrrapidstartdrv.sys
- \tmcomm.sys
- \wiseunlo.sys
- \rwdrv.sys
- \asio64.sys
- \nvoclock.sys
- \panio.sys
- \mtcbsv64.sys
- \amigendrv64.sys
- \capcom.sys
- \netflt.sys
- \phlashnt.sys
- \dbutil_2_3.sys
- \ni.sys
- \ntiolib_x64.sys
- \atszio64.sys
- \lgcoretemp.sys
- \lha.sys
- \phymem64.sys
- \dbutildrv2.sys
- \asrdrv103.sys
- \rtcore64.sys
- \bs_hwmio64_w10.sys
- \ene.sys
- \winio64b.sys
- \piddrv64.sys
- \directio32.sys
- \monitor_win10_x64.sys
- \nt5.sys
- \asrsmartconnectdrv.sys
- \rtif.sys
- \atillk64.sys
- \directio.sys
- \asribdrv.sys
- \kfeco11x64.sys
- \citmdrv_ia64.sys
- \sysdrv3s.sys
- \amp.sys
- \vboxdrv.sys
- \adv64drv.sys
- \hostnt.sys
- \phymem_ext64.sys
- \echo_driver.sys
- \winiodrv.sys
- \pdfwkrnl.sys
- \glckio2.sys
- \asrdrv106.sys
- \nscm.sys
- \bs_rcio64.sys
- \ncpl.sys
- \sandra.sys
- \fiddrv.sys
- \hwrwdrv.sys
- \mhyprot.sys
- \asrsetupdrv103.sys
- \iqvw64.sys
- \b3.sys
- \ssport.sys
- \bs_def.sys
- \computerz.sys
- \windows8-10-32.sys
- \nstrwsk.sys
- \lurker.sys
- \bsmemx64.sys
- \wyproxy64.sys
- \asio.sys
- \t3.sys
- \cpuz.sys
- \rtkio.sys
- \driver7-x64.sys
- \netfilterdrv.sys
- \ioaccess.sys
- \testbone.sys
- \gameink.sys
- \kevp64.sys
- \mhyprot2.sys
- \se64a.sys
- \vboxusb.sys
- \windows7-32.sys
- \vproeventmonitor.sys
- \winio64a.sys
- \asrdrv101.sys
- \netproxydriver.sys
- \elrawdsk.sys
- \zam64.sys
- \cg6kwin2k.sys
- \asupio.sys
- \stdcdrvws64.sys
- \81.sys
- \citmdrv_amd64.sys
- \amdryzenmasterdriver.sys
- \vmdrv.sys
- \sysinfo.sys
- \alsysio64.sys
- \directio64.sys
- \rzpnk.sys
- \amdpowerprofiler.sys
- \truesight.sys
- \wirwadrv.sys
- \phymemx64.sys
- \msio64.sys
- \sepdrv3_1.sys
- \gametersafe.sys
- \bs_rcio.sys
- \d4.sys
- \t.sys
- \eio.sys
- \nt2.sys
- \winring0.sys
- \physmem.sys
- \libnicm.sys
- \msio32.sys
- \asrautochkupddrv.sys
- \asio32.sys
- \etdsupp.sys
- \smep_namco.sys
- \bandai.sys
- \d2.sys
- \magdrvamd64.sys
- \nvflash.sys
- \goad.sys
- \proxy64.sys
- \amsdk.sys
- \kbdcap64.sys
- \vdbsv64.sys
- \pchunter.sys
- \sysconp.sys
- \dh_kernel_10.sys
- \msrhook.sys
- \bedaisy.sys
- \dcr.sys
- \panmonflt.sys
- \bsmixp64.sys
- \otipcibus.sys
- \fidpcidrv.sys
- \kfeco10x64.sys
- \asrdrv104.sys
- \c.sys
- \tdklib64.sys
- \bsmix64.sys
- \bs_flash64.sys
- \stdcdrv64.sys
- \naldrv.sys
- \ctiio64.sys
- \bwrs.sys
- \nicm.sys
- \winio32b.sys
- \paniox64.sys
- \ecsiodriverx64.sys
- \iomem64.sys
- \fidpcidrv64.sys
- \aswarpot.sys
- \bs_rciow1064.sys
- \asmio64.sys
- \openlibsys.sys
- \viraglt64.sys
- \dbk64.sys
- \t7.sys
- \atlaccess.sys
- \nbiolib_x64.sys
- \smep_capcom.sys
- \iqvw64e.sys