Detection rules › Kusto
Microsoft Recommended Driver Block List
The query below detects loading or creation of a vulnerable driver that is listed in the Microsoft recommended driver block rules.
References
Event coverage
| Provider | Event/ActionType | Title |
|---|---|---|
| Sysmon | Event ID 6 | Driver loaded |
| Security-Auditing | Event ID 4663 | An attempt was made to access an object. |
| Defender-DeviceEvents | DriverLoad | Driver loaded |
| Threat-Intelligence | Event ID 30 | Driver Load |
Rule body kusto
// Author: Cyb3rMonk(https://twitter.com/Cyb3rMonk, https://academy.bluraven.io)
//
// Query parameters:
let driver_block_list = externaldata (driver:dynamic) [@"https://raw.githubusercontent.com/Cyb3r-Monk/Microsoft-Vulnerable-Driver-Block-Lists/refs/heads/main/msft_vuln_driver_block_list.json"]
with (format=multijson, ingestionMapping='[{"Column":"driver","Properties":{"Path":"$"}}]')
| evaluate bag_unpack(driver)
;
let driver_hashes = toscalar(
driver_block_list
| where isnotempty(FileHash)
| summarize make_set(tolower(FileHash))
)
;
union
(
DeviceEvents
| where ActionType == "DriverLoad"
| where SHA1 in~ (driver_hashes) or SHA256 in~ (driver_hashes)
),
(
DeviceFileEvents
| where SHA1 in~ (driver_hashes) or SHA256 in~ (driver_hashes)
)
Stages and Predicates
Stage 0: let
let driver_block_list = externaldata (driver:dynamic) [@"https://raw.githubusercontent.com/Cyb3r-Monk/Microsoft-Vulnerable-Driver-Block-Lists/refs/heads/main/msft_vuln_driver_block_list.json"]
with (format=multijson, ingestionMapping='[{"Column":"driver","Properties":{"Path":"$"}}]')
| evaluate bag_unpack(driver)
;
let driver_hashes = toscalar(
driver_block_list
| where isnotempty(FileHash)
| summarize make_set(tolower(FileHash))
)
;
Stage 1: union
union
Stage 2: source
DeviceEvents
Stage 3: where
| where ActionType == "DriverLoad"
Stage 4: where
| where SHA1 in~ (driver_hashes) or SHA256 in~ (driver_hashes)
Stage 5: source
DeviceFileEvents
Stage 6: where
| where SHA1 in~ (driver_hashes) or SHA256 in~ (driver_hashes)
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ActionType | eq |
|
SHA1 | in |
|
SHA256 | in |
|