Detection rules › Sigma
Malicious Driver Load By Name
Detects loading of known malicious drivers via the file name of the drivers.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1543.003 Create or Modify System Process: Windows Service |
| Privilege Escalation | T1068 Exploitation for Privilege Escalation, T1543.003 Create or Modify System Process: Windows Service |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 6 | Driver loaded |
Stages and Predicates
Stage 1: selection
or:
ImageLoaded|endswith: '\1fc7aeeff3ab19004d2e53eae8160ab1.sys'
ImageLoaded|endswith: '\2.sys'
ImageLoaded|endswith: '\4.sys'
ImageLoaded|endswith: '\4118b86e490aed091b1a219dba45f332.sys'
ImageLoaded|endswith: '\4748696211bd56c2d93c21cab91e82a5.sys'
ImageLoaded|endswith: '\5a4fe297c7d42539303137b6d75b150d.sys'
ImageLoaded|endswith: '\6771b13a53b9c7449d4891e427735ea2.sys'
ImageLoaded|endswith: '\7.sys'
ImageLoaded|endswith: '\834761775.sys'
ImageLoaded|endswith: '\a236e7d654cd932b7d11cb604629a2d0.sys'
ImageLoaded|endswith: '\a26363e7b02b13f2b8d697abb90cd5c3.sys'
ImageLoaded|endswith: '\a9df5964635ef8bd567ae487c3d214c4.sys'
ImageLoaded|endswith: '\air_system10.sys'
ImageLoaded|endswith: '\be6318413160e589080df02bb3ca6e6a.sys'
ImageLoaded|endswith: '\blacklotus_driver.sys'
ImageLoaded|endswith: '\c94f405c5929cfcccc8ad00b42c95083.sys'
ImageLoaded|endswith: '\daxin_blank.sys'
ImageLoaded|endswith: '\daxin_blank1.sys'
ImageLoaded|endswith: '\daxin_blank2.sys'
ImageLoaded|endswith: '\daxin_blank3.sys'
ImageLoaded|endswith: '\daxin_blank4.sys'
ImageLoaded|endswith: '\daxin_blank5.sys'
ImageLoaded|endswith: '\daxin_blank6.sys'
ImageLoaded|endswith: '\dkrtk.sys'
ImageLoaded|endswith: '\e29f6311ae87542b3d693c1f38e4e3ad.sys'
ImageLoaded|endswith: '\e939448b28a4edc81f1f974cebf6e7d2.sys'
ImageLoaded|endswith: '\ef0e1725aaf0c6c972593f860531a2ea.sys'
ImageLoaded|endswith: '\fgme.sys'
ImageLoaded|endswith: '\fur.sys'
ImageLoaded|endswith: '\gftkyj64.sys'
ImageLoaded|endswith: '\gmer64.sys'
ImageLoaded|endswith: '\kapchelper_x64.sys'
ImageLoaded|endswith: '\kt2.sys'
ImageLoaded|endswith: '\ktes.sys'
ImageLoaded|endswith: '\ktgn.sys'
ImageLoaded|endswith: '\ktmutil7odm.sys'
ImageLoaded|endswith: '\lctka.sys'
ImageLoaded|endswith: '\malicious.sys'
ImageLoaded|endswith: '\mimidrv.sys'
ImageLoaded|endswith: '\mimikatz.sys'
ImageLoaded|endswith: '\mjj0ge.sys'
ImageLoaded|endswith: '\mlgbbiicaihflrnh.sys'
ImageLoaded|endswith: '\msqpq.sys'
ImageLoaded|endswith: '\ndislan.sys'
ImageLoaded|endswith: '\nlslexicons0024uvn.sys'
ImageLoaded|endswith: '\nodedriver.sys'
ImageLoaded|endswith: '\nqrmq.sys'
ImageLoaded|endswith: '\ntbios.sys'
ImageLoaded|endswith: '\ntbios_2.sys'
ImageLoaded|endswith: '\pciecubed.sys'
ImageLoaded|endswith: '\poortry.sys'
ImageLoaded|endswith: '\poortry1.sys'
ImageLoaded|endswith: '\poortry2.sys'
ImageLoaded|endswith: '\prokiller64.sys'
ImageLoaded|endswith: '\reddriver.sys'
ImageLoaded|endswith: '\sense5ext.sys'
ImageLoaded|endswith: '\spwizimgvt.sys'
ImageLoaded|endswith: '\telephonuafy.sys'
ImageLoaded|endswith: '\typelibde.sys'
ImageLoaded|endswith: '\wantd.sys'
ImageLoaded|endswith: '\wantd_2.sys'
ImageLoaded|endswith: '\wantd_3.sys'
ImageLoaded|endswith: '\wantd_4.sys'
ImageLoaded|endswith: '\wantd_5.sys'
ImageLoaded|endswith: '\wantd_6.sys'
ImageLoaded|endswith: '\wfshbr64.sys'
ImageLoaded|endswith: '\windbg.sys'
ImageLoaded|endswith: '\wintapix.sys'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ImageLoaded | ends_with |
|