Detection rules › Sigma
Vulnerable HackSys Extreme Vulnerable Driver Load
Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1543.003 Create or Modify System Process: Windows Service |
| Privilege Escalation | T1543.003 Create or Modify System Process: Windows Service |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 6 | Driver loaded |
Stages and Predicates
Stage 1: selection
or:
Hashes|contains: 'IMPHASH=c46ea2e651fd5f7f716c8867c6d13594'
Hashes|contains: 'IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5'
ImageLoaded|endswith: '\HEVD.sys'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Hashes | match |
|
ImageLoaded | ends_with |
|