heroui logo

Vulnerable Driver Load By Name

Sigma Rules

View Source
Summary
The detection rule titled "Vulnerable Driver Load By Name" is designed to identify the loading of known vulnerable drivers on Windows systems. It specifically looks for driver files that are associated with various vulnerabilities, including privilege escalation exploits. This rule uses the 'ImageLoaded' field to determine if any of the specified vulnerable driver names (like 'panmonfltx64.sys', 'dbutil.sys', 'fairplaykd.sys', etc.) ends with the names listed in the detection criteria. If a match is found, the rule triggers an alert indicating potential risk due to the presence of a vulnerable driver. This can be crucial for maintaining system integrity, as these vulnerable drivers can be exploited by malicious actors to gain elevated privileges. False positives can occur if the detected driver names haven't changed across versions, which need careful validation against legitimate driver versions. Therefore, organizations are encouraged to monitor the loading of these drivers closely and ensure they are using secure, updated versions.
Categories
  • Windows
  • Endpoint
Data Sources
  • Driver
Created: 2022-10-03