Detection rules › Kusto

Microsoft Recommended Driver Block List

Author
Cyb3rMonk
Source
github.com/Cyb3r-Monk/Threat-Hunting-and-Detection

The query below detects loading or creation of a vulnerable driver that is listed in the Microsoft recommended driver block rules.

References

Event coverage

Rule body kusto

// Author: Cyb3rMonk(https://twitter.com/Cyb3rMonk, https://academy.bluraven.io)
//
// Query parameters:
let driver_block_list = externaldata (driver:dynamic) [@"https://raw.githubusercontent.com/Cyb3r-Monk/Microsoft-Vulnerable-Driver-Block-Lists/refs/heads/main/msft_vuln_driver_block_list.json"]
    with (format=multijson, ingestionMapping='[{"Column":"driver","Properties":{"Path":"$"}}]')
| evaluate bag_unpack(driver)
;
let driver_hashes = toscalar(
    driver_block_list
    | where isnotempty(FileHash)
    | summarize make_set(tolower(FileHash))
    )
;
union 
    (
        DeviceEvents
        | where ActionType == "DriverLoad"
        | where SHA1 in~ (driver_hashes) or SHA256 in~ (driver_hashes)
    ),
    (
        DeviceFileEvents
        | where SHA1 in~ (driver_hashes) or SHA256 in~ (driver_hashes)
    )

Stages and Predicates

Stage 0: let

let driver_block_list = externaldata (driver:dynamic) [@"https://raw.githubusercontent.com/Cyb3r-Monk/Microsoft-Vulnerable-Driver-Block-Lists/refs/heads/main/msft_vuln_driver_block_list.json"]
    with (format=multijson, ingestionMapping='[{"Column":"driver","Properties":{"Path":"$"}}]')
| evaluate bag_unpack(driver)
;
let driver_hashes = toscalar(
    driver_block_list
    | where isnotempty(FileHash)
    | summarize make_set(tolower(FileHash))
    )
;

Stage 1: union

union

Stage 2: source

DeviceEvents

Stage 3: where

| where ActionType == "DriverLoad"

Stage 4: where

| where SHA1 in~ (driver_hashes) or SHA256 in~ (driver_hashes)

Stage 5: source

DeviceFileEvents

Stage 6: where

| where SHA1 in~ (driver_hashes) or SHA256 in~ (driver_hashes)

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
ActionTypeeq
  • DriverLoad transforms: cased corpus 2 (kusto 2)
SHA1in
  • driver_hashes
SHA256in
  • driver_hashes