EDR and AV Killer - A Large Scale Driver Exploitation Detection.kql

SlimKQL · Feb 26, 2025 · f39d3ec · f39d3ec
1 parent 76316d9
commit f39d3ec
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/Sentinel/EDR and AV Killer - A Large Scale Driver Exploitation Detection.kql b/Sentinel/EDR and AV Killer - A Large Scale Driver Exploitation Detection.kql
@@ -0,0 +1,16 @@
+// EDR and AV Killer - A Large Scale Driver Exploitation Detection
+// https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/
+
+let Truesight202Variants=externaldata(FileHash:string)
+[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/SHA-256-Truesight-Driver-Variants-Ver202.txt'];
+let EDRKillerFileHashes =
+Truesight202Variants
+| project FileHash;
+DeviceFileEvents
+| where TimeGenerated > ago(90d)
+| where InitiatingProcessSHA256 has_any(EDRKillerFileHashes) or SHA256 has_any(EDRKillerFileHashes)
+//
+// EDR & AV Killer
+// The legacy Truesight.sys driver (version 2.0.2) has 2,500+ variants bypassing the latest
+// Microsoft Vulnerable Driver Blocklist and common detection mechanisms. The above KQL scan
+// across DeviceFileEvents for the past 90 days for potential truesight.sys variant presence.