← Back to Explore
sigmalowHunting
Vulnerable Driver Load By Name
Detects the load of known vulnerable drivers via the file name of the drivers.
Detection Query
selection:
ImageLoaded|endswith:
- \panmonfltx64.sys
- \dbutil.sys
- \fairplaykd.sys
- \nvaudio.sys
- \superbmc.sys
- \bsmi.sys
- \smarteio64.sys
- \bwrsh.sys
- \agent64.sys
- \asmmap64.sys
- \dellbios.sys
- \chaos-rootkit.sys
- \wcpu.sys
- \dh_kernel.sys
- \sbiosio64.sys
- \bw.sys
- \asrdrv102.sys
- \nt6.sys
- \mhyprot3.sys
- \winio64c.sys
- \asupio64.sys
- \blackbonedrv10.sys
- \d.sys
- \driver7-x86.sys
- \sfdrvx32.sys
- \enetechio64.sys
- \gdrv.sys
- \sysinfodetectorx64.sys
- \fh-ethercat_dio.sys
- \asromgdrv.sys
- \my.sys
- \dcprotect.sys
- \irec.sys
- \gedevdrv.sys
- \winio32a.sys
- \gvcidrv64.sys
- \winio32.sys
- \bs_hwmio64.sys
- \nstr.sys
- \inpoutx64.sys
- \hw.sys
- \winio64.sys
- \hpportiox64.sys
- \iobitunlocker.sys
- \b1.sys
- \aoddriver.sys
- \elbycdio.sys
- \protects.sys
- \kprocesshacker.sys
- \speedfan.sys
- \radhwmgr.sys
- \iscflashx64.sys
- \black.sys
- \b4.sys
- \hwos2ec10x64.sys
- \winflash64.sys
- \corsairllaccess64.sys
- \bs_i2cio.sys
- \d3.sys
- \windows-xp-64.sys
- \aswvmm.sys
- \bs_i2c64.sys
- \1.sys
- \nchgbios2x64.sys
- \cpuz141.sys
- \segwindrvx64.sys
- \tdeio64.sys
- \ntiolib.sys
- \gtckmdfbs.sys
- \iomap64.sys
- \avalueio.sys
- \semav6msr.sys
- \lgdcatcher.sys
- \b.sys
- \hwdetectng.sys
- \nt4.sys
- \tgsafe.sys
- \mydrivers.sys
- \eneio64.sys
- \procexp.sys
- \viragt64.sys
- \fpcie2com.sys
- \lenovodiagnosticsdriver.sys
- \cp2x72c.sys
- \kerneld.amd64
- \bs_def64.sys
- \piddrv.sys
- \amifldrv64.sys
- \cpuz_x64.sys
- \proxy32.sys
- \wsdkd.sys
- \t8.sys
- \ucorew64.sys
- \atszio.sys
- \lmiinfo.sys
- \80.sys
- \nt3.sys
- \ngiodriver.sys
- \lv561av.sys
- \gpcidrv64.sys
- \fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys
- \rtport.sys
- \full.sys
- \viragt.sys
- \fiddrv64.sys
- \cupfixerx64.sys
- \cpupress.sys
- \hwos2ec7x64.sys
- \driver7-x86-withoutdbg.sys
- \asrdrv10.sys
- \nvflsh64.sys
- \asrrapidstartdrv.sys
- \tmcomm.sys
- \wiseunlo.sys
- \rwdrv.sys
- \asio64.sys
- \nvoclock.sys
- \panio.sys
- \mtcbsv64.sys
- \amigendrv64.sys
- \capcom.sys
- \netflt.sys
- \phlashnt.sys
- \dbutil_2_3.sys
- \ni.sys
- \ntiolib_x64.sys
- \atszio64.sys
- \lgcoretemp.sys
- \lha.sys
- \phymem64.sys
- \dbutildrv2.sys
- \asrdrv103.sys
- \rtcore64.sys
- \bs_hwmio64_w10.sys
- \ene.sys
- \winio64b.sys
- \piddrv64.sys
- \directio32.sys
- \monitor_win10_x64.sys
- \nt5.sys
- \asrsmartconnectdrv.sys
- \rtif.sys
- \atillk64.sys
- \directio.sys
- \asribdrv.sys
- \kfeco11x64.sys
- \citmdrv_ia64.sys
- \sysdrv3s.sys
- \amp.sys
- \vboxdrv.sys
- \adv64drv.sys
- \hostnt.sys
- \phymem_ext64.sys
- \echo_driver.sys
- \winiodrv.sys
- \pdfwkrnl.sys
- \glckio2.sys
- \asrdrv106.sys
- \nscm.sys
- \bs_rcio64.sys
- \ncpl.sys
- \sandra.sys
- \fiddrv.sys
- \hwrwdrv.sys
- \mhyprot.sys
- \asrsetupdrv103.sys
- \iqvw64.sys
- \b3.sys
- \ssport.sys
- \bs_def.sys
- \computerz.sys
- \windows8-10-32.sys
- \nstrwsk.sys
- \lurker.sys
- \bsmemx64.sys
- \wyproxy64.sys
- \asio.sys
- \t3.sys
- \cpuz.sys
- \rtkio.sys
- \driver7-x64.sys
- \netfilterdrv.sys
- \ioaccess.sys
- \testbone.sys
- \gameink.sys
- \kevp64.sys
- \mhyprot2.sys
- \se64a.sys
- \vboxusb.sys
- \windows7-32.sys
- \vproeventmonitor.sys
- \winio64a.sys
- \asrdrv101.sys
- \netproxydriver.sys
- \elrawdsk.sys
- \zam64.sys
- \cg6kwin2k.sys
- \asupio.sys
- \stdcdrvws64.sys
- \81.sys
- \citmdrv_amd64.sys
- \amdryzenmasterdriver.sys
- \vmdrv.sys
- \sysinfo.sys
- \alsysio64.sys
- \directio64.sys
- \rzpnk.sys
- \amdpowerprofiler.sys
- \truesight.sys
- \wirwadrv.sys
- \phymemx64.sys
- \msio64.sys
- \sepdrv3_1.sys
- \gametersafe.sys
- \bs_rcio.sys
- \d4.sys
- \t.sys
- \eio.sys
- \nt2.sys
- \winring0.sys
- \physmem.sys
- \libnicm.sys
- \msio32.sys
- \asrautochkupddrv.sys
- \asio32.sys
- \etdsupp.sys
- \smep_namco.sys
- \bandai.sys
- \d2.sys
- \magdrvamd64.sys
- \nvflash.sys
- \goad.sys
- \proxy64.sys
- \amsdk.sys
- \kbdcap64.sys
- \vdbsv64.sys
- \pchunter.sys
- \sysconp.sys
- \dh_kernel_10.sys
- \msrhook.sys
- \bedaisy.sys
- \dcr.sys
- \panmonflt.sys
- \bsmixp64.sys
- \otipcibus.sys
- \fidpcidrv.sys
- \kfeco10x64.sys
- \asrdrv104.sys
- \c.sys
- \tdklib64.sys
- \bsmix64.sys
- \bs_flash64.sys
- \stdcdrv64.sys
- \naldrv.sys
- \ctiio64.sys
- \bwrs.sys
- \nicm.sys
- \winio32b.sys
- \paniox64.sys
- \ecsiodriverx64.sys
- \iomem64.sys
- \fidpcidrv64.sys
- \aswarpot.sys
- \bs_rciow1064.sys
- \asmio64.sys
- \openlibsys.sys
- \viraglt64.sys
- \dbk64.sys
- \t7.sys
- \atlaccess.sys
- \nbiolib_x64.sys
- \smep_capcom.sys
- \iqvw64e.sys
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-10-03
Data Sources
windowsDriver Load Events
Platforms
windows
References
Tags
attack.persistenceattack.privilege-escalationattack.t1543.003attack.t1068
Raw Content
title: Vulnerable Driver Load By Name
id: 72cd00d6-490c-4650-86ff-1d11f491daa1
status: test
description: Detects the load of known vulnerable drivers via the file name of the drivers.
references:
- https://loldrivers.io/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-03
modified: 2023-12-02
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
- attack.t1068
logsource:
product: windows
category: driver_load
detection:
selection:
ImageLoaded|endswith:
- '\panmonfltx64.sys'
- '\dbutil.sys'
- '\fairplaykd.sys'
- '\nvaudio.sys'
- '\superbmc.sys'
- '\bsmi.sys'
- '\smarteio64.sys'
- '\bwrsh.sys'
- '\agent64.sys'
- '\asmmap64.sys'
- '\dellbios.sys'
- '\chaos-rootkit.sys'
- '\wcpu.sys'
- '\dh_kernel.sys'
- '\sbiosio64.sys'
- '\bw.sys'
- '\asrdrv102.sys'
- '\nt6.sys'
- '\mhyprot3.sys'
- '\winio64c.sys'
- '\asupio64.sys'
- '\blackbonedrv10.sys'
- '\d.sys'
- '\driver7-x86.sys'
- '\sfdrvx32.sys'
- '\enetechio64.sys'
- '\gdrv.sys'
- '\sysinfodetectorx64.sys'
- '\fh-ethercat_dio.sys'
- '\asromgdrv.sys'
- '\my.sys'
- '\dcprotect.sys'
- '\irec.sys'
- '\gedevdrv.sys'
- '\winio32a.sys'
- '\gvcidrv64.sys'
- '\winio32.sys'
- '\bs_hwmio64.sys'
- '\nstr.sys'
- '\inpoutx64.sys'
- '\hw.sys'
- '\winio64.sys'
- '\hpportiox64.sys'
- '\iobitunlocker.sys'
- '\b1.sys'
- '\aoddriver.sys'
- '\elbycdio.sys'
- '\protects.sys'
- '\kprocesshacker.sys'
- '\speedfan.sys'
- '\radhwmgr.sys'
- '\iscflashx64.sys'
- '\black.sys'
- '\b4.sys'
- '\hwos2ec10x64.sys'
- '\winflash64.sys'
- '\corsairllaccess64.sys'
- '\bs_i2cio.sys'
- '\d3.sys'
- '\windows-xp-64.sys'
- '\aswvmm.sys'
- '\bs_i2c64.sys'
- '\1.sys'
- '\nchgbios2x64.sys'
- '\cpuz141.sys'
- '\segwindrvx64.sys'
- '\tdeio64.sys'
- '\ntiolib.sys'
- '\gtckmdfbs.sys'
- '\iomap64.sys'
- '\avalueio.sys'
- '\semav6msr.sys'
- '\lgdcatcher.sys'
- '\b.sys'
- '\hwdetectng.sys'
- '\nt4.sys'
- '\tgsafe.sys'
- '\mydrivers.sys'
- '\eneio64.sys'
- '\procexp.sys'
- '\viragt64.sys'
- '\fpcie2com.sys'
- '\lenovodiagnosticsdriver.sys'
- '\cp2x72c.sys'
- '\kerneld.amd64'
- '\bs_def64.sys'
- '\piddrv.sys'
- '\amifldrv64.sys'
- '\cpuz_x64.sys'
- '\proxy32.sys'
- '\wsdkd.sys'
- '\t8.sys'
- '\ucorew64.sys'
- '\atszio.sys'
- '\lmiinfo.sys'
- '\80.sys'
- '\nt3.sys'
- '\ngiodriver.sys'
- '\lv561av.sys'
- '\gpcidrv64.sys'
- '\fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys'
- '\rtport.sys'
- '\full.sys'
- '\viragt.sys'
- '\fiddrv64.sys'
- '\cupfixerx64.sys'
- '\cpupress.sys'
- '\hwos2ec7x64.sys'
- '\driver7-x86-withoutdbg.sys'
- '\asrdrv10.sys'
- '\nvflsh64.sys'
- '\asrrapidstartdrv.sys'
- '\tmcomm.sys'
- '\wiseunlo.sys'
- '\rwdrv.sys'
- '\asio64.sys'
- '\nvoclock.sys'
- '\panio.sys'
- '\mtcbsv64.sys'
- '\amigendrv64.sys'
- '\capcom.sys'
- '\netflt.sys'
- '\phlashnt.sys'
- '\dbutil_2_3.sys'
- '\ni.sys'
- '\ntiolib_x64.sys'
- '\atszio64.sys'
- '\lgcoretemp.sys'
- '\lha.sys'
- '\phymem64.sys'
- '\dbutildrv2.sys'
- '\asrdrv103.sys'
- '\rtcore64.sys'
- '\bs_hwmio64_w10.sys'
- '\ene.sys'
- '\winio64b.sys'
- '\piddrv64.sys'
- '\directio32.sys'
- '\monitor_win10_x64.sys'
- '\nt5.sys'
- '\asrsmartconnectdrv.sys'
- '\rtif.sys'
- '\atillk64.sys'
- '\directio.sys'
- '\asribdrv.sys'
- '\kfeco11x64.sys'
- '\citmdrv_ia64.sys'
- '\sysdrv3s.sys'
- '\amp.sys'
- '\vboxdrv.sys'
- '\adv64drv.sys'
- '\hostnt.sys'
- '\phymem_ext64.sys'
- '\echo_driver.sys'
- '\winiodrv.sys'
- '\pdfwkrnl.sys'
- '\glckio2.sys'
- '\asrdrv106.sys'
- '\nscm.sys'
- '\bs_rcio64.sys'
- '\ncpl.sys'
- '\sandra.sys'
- '\fiddrv.sys'
- '\hwrwdrv.sys'
- '\mhyprot.sys'
- '\asrsetupdrv103.sys'
- '\iqvw64.sys'
- '\b3.sys'
- '\ssport.sys'
- '\bs_def.sys'
- '\computerz.sys'
- '\windows8-10-32.sys'
- '\nstrwsk.sys'
- '\lurker.sys'
- '\bsmemx64.sys'
- '\wyproxy64.sys'
- '\asio.sys'
- '\t3.sys'
- '\cpuz.sys'
- '\rtkio.sys'
- '\driver7-x64.sys'
- '\netfilterdrv.sys'
- '\ioaccess.sys'
- '\testbone.sys'
- '\gameink.sys'
- '\kevp64.sys'
- '\mhyprot2.sys'
- '\se64a.sys'
- '\vboxusb.sys'
- '\windows7-32.sys'
- '\vproeventmonitor.sys'
- '\winio64a.sys'
- '\asrdrv101.sys'
- '\netproxydriver.sys'
- '\elrawdsk.sys'
- '\zam64.sys'
- '\cg6kwin2k.sys'
- '\asupio.sys'
- '\stdcdrvws64.sys'
- '\81.sys'
- '\citmdrv_amd64.sys'
- '\amdryzenmasterdriver.sys'
- '\vmdrv.sys'
- '\sysinfo.sys'
- '\alsysio64.sys'
- '\directio64.sys'
- '\rzpnk.sys'
- '\amdpowerprofiler.sys'
- '\truesight.sys'
- '\wirwadrv.sys'
- '\phymemx64.sys'
- '\msio64.sys'
- '\sepdrv3_1.sys'
- '\gametersafe.sys'
- '\bs_rcio.sys'
- '\d4.sys'
- '\t.sys'
- '\eio.sys'
- '\nt2.sys'
- '\winring0.sys'
- '\physmem.sys'
- '\libnicm.sys'
- '\msio32.sys'
- '\asrautochkupddrv.sys'
- '\asio32.sys'
- '\etdsupp.sys'
- '\smep_namco.sys'
- '\bandai.sys'
- '\d2.sys'
- '\magdrvamd64.sys'
- '\nvflash.sys'
- '\goad.sys'
- '\proxy64.sys'
- '\amsdk.sys'
- '\kbdcap64.sys'
- '\vdbsv64.sys'
- '\pchunter.sys'
- '\sysconp.sys'
- '\dh_kernel_10.sys'
- '\msrhook.sys'
- '\bedaisy.sys'
- '\dcr.sys'
- '\panmonflt.sys'
- '\bsmixp64.sys'
- '\otipcibus.sys'
- '\fidpcidrv.sys'
- '\kfeco10x64.sys'
- '\asrdrv104.sys'
- '\c.sys'
- '\tdklib64.sys'
- '\bsmix64.sys'
- '\bs_flash64.sys'
- '\stdcdrv64.sys'
- '\naldrv.sys'
- '\ctiio64.sys'
- '\bwrs.sys'
- '\nicm.sys'
- '\winio32b.sys'
- '\paniox64.sys'
- '\ecsiodriverx64.sys'
- '\iomem64.sys'
- '\fidpcidrv64.sys'
- '\aswarpot.sys'
- '\bs_rciow1064.sys'
- '\asmio64.sys'
- '\openlibsys.sys'
- '\viraglt64.sys'
- '\dbk64.sys'
- '\t7.sys'
- '\atlaccess.sys'
- '\nbiolib_x64.sys'
- '\smep_capcom.sys'
- '\iqvw64e.sys'
condition: selection
falsepositives:
- False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
- If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
level: low