detection.wiki

Detection rules › Sigma

Vulnerable WinRing0 Driver Load

Severity
high
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1543.003 Create or Modify System Process: Windows Service
Privilege EscalationT1543.003 Create or Modify System Process: Windows Service

Event coverage

ProviderEvent IDTitle
Sysmon6Driver loaded

Stages and Predicates

Stage 1: selection

or:
Hashes|contains: 'IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7'
ImageLoaded|endswith: '\WinRing0.dll'
ImageLoaded|endswith: '\WinRing0.sys'
ImageLoaded|endswith: '\WinRing0x64.dll'
ImageLoaded|endswith: '\WinRing0x64.sys'
ImageLoaded|endswith: '\winring00x64.sys'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Hashesmatch
  • IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7
ImageLoadedends_with
  • \WinRing0.dll
  • \WinRing0.sys
  • \WinRing0x64.dll
  • \WinRing0x64.sys
  • \winring00x64.sys