Query Details
EDR And AV Killer A Large Scale Driver Exploitation Detection
Query
// EDR and AV Killer - A Large Scale Driver Exploitation Detection // https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/ let Truesight202Variants=externaldata(FileHash:string) [h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/SHA-256-Truesight-Driver-Variants-Ver202.txt']; let EDRKillerFileHashes = Truesight202Variants | project FileHash; DeviceFileEvents | where TimeGenerated > ago(90d) | where InitiatingProcessSHA256 has_any(EDRKillerFileHashes) or SHA256 has_any(EDRKillerFileHashes) // // EDR & AV Killer // The legacy Truesight.sys driver (version 2.0.2) has 2,500+ variants bypassing the latest // Microsoft Vulnerable Driver Blocklist and common detection mechanisms. The above KQL scan // across DeviceFileEvents for the past 90 days for potential truesight.sys variant presence.
Explanation
This query is designed to detect potential exploitation of a legacy driver known as "Truesight.sys" (version 2.0.2) by scanning for its variants. Here's a simplified breakdown of what the query does:
-
Load Known Variants: It retrieves a list of known file hashes (SHA-256) for different variants of the Truesight.sys driver from an external source.
-
Filter Device Events: It examines device file events from the past 90 days.
-
Identify Matches: It checks if any of the file events involve a file hash that matches any of the known Truesight.sys variants.
-
Purpose: The goal is to identify instances where this driver, which can bypass certain security mechanisms, might have been used on devices within the specified timeframe.
In essence, the query is looking for signs of a potentially malicious driver being used on devices by comparing file hashes against a known list of variants.
Details
Steven Lim
Released: February 26, 2025
Tables
Keywords
Operators