Query Details

Rule : Detection of Suspicious Driver Loads Indicative of EDR Bypass

EDR Sandblast

Query

DeviceEvents
| where ActionType == "DriverLoad"
| where FileName has_any("WN_64.sys", "wnbios.sys")

About this query

Explanation

This query is designed to detect potentially malicious activity on a computer system by monitoring for the loading of specific suspicious drivers. These drivers, named WN_64.sys and wnbios.sys, are known to be used by attackers to bypass security measures like Endpoint Detection and Response (EDR) systems. By loading these drivers, attackers can disable security software, evade detection, and potentially carry out further malicious activities such as ransomware attacks.

The query works by looking at device events where the action type is "DriverLoad" and checking if the file name of the driver being loaded matches either WN_64.sys or wnbios.sys. Additionally, it can be extended to check for specific file hashes (SHA256) associated with these drivers, providing an extra layer of detection.

The purpose of this query is to alert security teams to the early signs of a security bypass attempt, allowing them to investigate and respond before any significant damage is done. The query is tagged with terms like EDR Bypass, Driver Load, Security Evasion, Ransomware, and Suspicious Activity to categorize the type of threat it is designed to detect.

Details

Ali Hussein profile picture

Ali Hussein

Released: November 14, 2024

Tables

DeviceEvents

Keywords

DeviceEventsDriverLoadFileNameAdditionalFieldsImageSHA256

Operators

DeviceEventswhereActionType=="DriverLoad"FileNamehas_any"WN_64.sys""wnbios.sys"extendparsedparse_jsonAdditionalFieldsorparsed.ImageSHA256

Actions

GitHub