KQL Search

Query Details

HomeAI ToolsDevice Query

EDR Sandblast

Query

# Rule : Detection of Suspicious Driver Loads Indicative of EDR Bypass

## Description
This detection rule identifies the loading of suspicious drivers, such as `WN_64.sys` and `wnbios.sys`, which are commonly associated with techniques used to bypass Endpoint Detection and Response (EDR) systems. Attackers may use malicious or modified drivers to disable security software, avoid detection, and establish a foothold within the system. The identified drivers have been linked to sophisticated extortion and ransomware campaigns, as described by Palo Alto Networks' Unit 42 in their analysis of EDR bypass techniques.

Monitoring driver load events for these specific filenames can help detect early signs of an attempted security bypass and give security teams the opportunity to investigate and mitigate the threat before further damage occurs.

- [Palo Alto Networks Unit 42: EDR Bypass Extortion Attempt](https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/?pdf=download&lg=en&_wpnonce=70be2dde45)

## Detection Logic
- Monitors `DeviceEvents` where:
  - The `ActionType` is `"DriverLoad"`.
  - The `FileName` includes `"WN_64.sys"` or `"wnbios.sys"`.

## Tags
- EDR Bypass
- Driver Load
- Security Evasion
- Ransomware
- Suspicious Activity

## Search Query
```kql
DeviceEvents
| where ActionType == "DriverLoad"
| where FileName has_any("WN_64.sys", "wnbios.sys")
```

You can ass add the following line to detect the specific vulnerable drivers 
```| extend parsed = parse_json(AdditionalFields)
   |  where FileName has_any("WN_64.sys", "wnbios.sys") or parsed.ImageSHA256 has_any("6106d1ce671b92d522144fcd3bc01276a975fe5d5b0fde09ca1cca16d09b7143","6106d1ce671b92d522144fcd3bc01276a975fe5d5b0fde09ca1cca16d09b7143")
```

Explanation

This query is designed to detect potentially malicious activities on a computer system by monitoring for the loading of specific drivers that are often used to bypass security measures. Here's a simple breakdown:

  1. Purpose: The query aims to identify when certain suspicious drivers, specifically WN_64.sys and wnbios.sys, are loaded onto a system. These drivers are known to be used in techniques that bypass Endpoint Detection and Response (EDR) systems, which are crucial for detecting and responding to security threats.

  2. Why It Matters: Attackers may use these drivers to disable security software, evade detection, and gain control over a system. Detecting these drivers early can help security teams intervene before significant damage occurs, such as during ransomware attacks.

  3. How It Works:

    • The query looks at DeviceEvents data.
    • It filters events where the action type is "DriverLoad," meaning a driver is being loaded onto the system.
    • It further narrows down to events where the file name of the driver matches either WN_64.sys or wnbios.sys.

  4. Additional Detection: The query can be extended to also check for specific driver hashes (unique identifiers for files) by parsing additional fields. This helps in identifying known vulnerable drivers by their unique hash values.

  5. Tags: The query is associated with tags like EDR Bypass, Driver Load, Security Evasion, Ransomware, and Suspicious Activity, indicating its focus on detecting security evasion tactics.

By using this query, security teams can monitor for early signs of security bypass attempts and take action to protect their systems from potential threats.

Details

Ali Hussein profile picture

Ali Hussein

Released: November 4, 2024

Tables

DeviceEvents

Keywords

DeviceEventsDriverLoadSecurityEvasionRansomwareSuspiciousActivity

Operators

DeviceEventswhereActionType=="DriverLoad"FileNamehas_any"WN_64.sys""wnbios.sys"extendparsedparse_jsonAdditionalFieldsorparsed.ImageSHA256

Actions