From df2a62d85b0d93a169c0a88eec9de270167cd9d2 Mon Sep 17 00:00:00 2001 From: kevross33 Date: Mon, 23 Feb 2026 02:19:35 +0000 Subject: [PATCH 1/2] Sig installing kernel service driver --- modules/signatures/windows/driver_load.py | 37 ++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/modules/signatures/windows/driver_load.py b/modules/signatures/windows/driver_load.py index 2861d9dc..67b0e72a 100644 --- a/modules/signatures/windows/driver_load.py +++ b/modules/signatures/windows/driver_load.py @@ -15,7 +15,6 @@ from lib.cuckoo.common.abstracts import Signature - class DriverLoad(Signature): name = "driver_load" description = "Loads a driver" @@ -44,3 +43,39 @@ def on_call(self, call, process): def on_complete(self): return self.found_driverload + +class InstallKernelDriverService(Signature): + name = "install_kernel_driver_service" + description = "Installs a new kernel driver service, indicative of Bring Your Own Vulnerable Driver (BYOVD) attacks or a rootkit" + severity = 3 + confidence = 80 + categories = ["driver", "rootkit", "bypass", "wiper"] + authors = ["Kevin Ross"] + minimum = "1.3" + evented = True + enabled = True + ttps = ["T1543.003", "T1068", "T1070.004"] + mbcs = ["E1543.003", "F0011"] + + filter_apinames = set(["CreateServiceA", "CreateServiceW"]) + + def __init__(self, *args, **kwargs): + Signature.__init__(self, *args, **kwargs) + self.ret = False + + def on_call(self, call, process): + service_type = self.get_argument(call, "ServiceType") + binary_path = self.get_argument(call, "BinaryPathName") + is_kernel_driver = False + if isinstance(service_type, str) and "SERVICE_KERNEL_DRIVER" in service_type: + is_kernel_driver = True + elif service_type in (1, 0x1, "1", "0x00000001"): + is_kernel_driver = True + + if is_kernel_driver: + if binary_path and binary_path.lower().endswith(".sys"): + self.ret = True + self.mark_call() + + def on_complete(self): + return self.ret From 910d89528cef8cbf2b8e757cb37bd8ce23d292ee Mon Sep 17 00:00:00 2001 From: doomedraven Date: Tue, 24 Feb 2026 08:24:14 +0100 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- modules/signatures/windows/driver_load.py | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/modules/signatures/windows/driver_load.py b/modules/signatures/windows/driver_load.py index 67b0e72a..5d374ff2 100644 --- a/modules/signatures/windows/driver_load.py +++ b/modules/signatures/windows/driver_load.py @@ -54,28 +54,25 @@ class InstallKernelDriverService(Signature): minimum = "1.3" evented = True enabled = True - ttps = ["T1543.003", "T1068", "T1070.004"] + ttps = ["T1543.003", "T1068", "T1547.006"] mbcs = ["E1543.003", "F0011"] filter_apinames = set(["CreateServiceA", "CreateServiceW"]) def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) - self.ret = False + self.found = False def on_call(self, call, process): service_type = self.get_argument(call, "ServiceType") binary_path = self.get_argument(call, "BinaryPathName") - is_kernel_driver = False - if isinstance(service_type, str) and "SERVICE_KERNEL_DRIVER" in service_type: - is_kernel_driver = True - elif service_type in (1, 0x1, "1", "0x00000001"): - is_kernel_driver = True - if is_kernel_driver: - if binary_path and binary_path.lower().endswith(".sys"): - self.ret = True - self.mark_call() + is_kernel_driver = (isinstance(service_type, str) and "SERVICE_KERNEL_DRIVER" in service_type) or \ + service_type in (1, "1", "0x00000001") + + if is_kernel_driver and binary_path and binary_path.lower().endswith(".sys"): + self.found = True + self.mark_call() def on_complete(self): - return self.ret + return self.found