|
| 1 | +# --- Query Metadata --- |
| 2 | +# Human-readable name for the query. Will be displayed as the title. |
| 3 | +name: BYOVD Driver Load with EDR/AV Process Termination (Medusa Ransomware) |
| 4 | + |
| 5 | +# MITRE ATT&CK technique IDs |
| 6 | +mitre_ids: |
| 7 | + - T1562.001 |
| 8 | + - T1068 |
| 9 | + - T1014 |
| 10 | + |
| 11 | +# Description of what the query does and its purpose. |
| 12 | +description: | |
| 13 | + Detects Bring Your Own Vulnerable Driver (BYOVD) attacks by correlating vulnerable kernel driver loads with security software termination on the same host. This technique has been actively used by the Medusa ransomware group to disable EDR/AV tooling before encryption. Covers both known-bad driver names and anomalous driver loads from user writable paths. |
| 14 | +
|
| 15 | +# The author or team that created the query. |
| 16 | +author: cap10 |
| 17 | + |
| 18 | +# The required log sources to run this query successfully in Next-Gen SIEM. |
| 19 | +log_sources: |
| 20 | + - Endpoint |
| 21 | + |
| 22 | +# The CrowdStrike modules required to run this query. |
| 23 | +cs_required_modules: |
| 24 | + - Insight |
| 25 | + |
| 26 | +# Tags for filtering and categorization. |
| 27 | +tags: |
| 28 | + - Hunting |
| 29 | + |
| 30 | +# --- Query Content --- |
| 31 | +# The actual CrowdStrike Query Language (CQL) code. |
| 32 | +# Using the YAML block scalar `|` allows for multi-line strings. |
| 33 | +cql: | |
| 34 | + /* Phase 1 — Detect BYOVD: known-vulnerable or out-of-place signed drivers */ |
| 35 | + #event_simpleName = DriverLoad OR #event_simpleName = ClassifiedModuleLoad |
| 36 | + | case { |
| 37 | + in(field=FileName, values=[ |
| 38 | + "gdrv.sys", "msio64.sys", "ntiolib.sys", "kprocesshacker.sys", |
| 39 | + "physmem.sys", "dbk64.sys", "procexp152.sys", "NSSM.sys", |
| 40 | + "wantd.sys", "AsrDrv104.sys", "mhyprot2.sys" |
| 41 | + ]) | BYOVDIndicator := "Known vulnerable driver loaded"; |
| 42 | + FilePath = /AppData|Temp|ProgramData|Users\\.*\\Desktop/i |
| 43 | + FileName = /\.sys$/i |
| 44 | + | BYOVDIndicator := "Driver loaded from suspicious user-writable path"; |
| 45 | + * | BYOVDIndicator := "none"; |
| 46 | + } |
| 47 | + | BYOVDIndicator != "none" |
| 48 | + | join( |
| 49 | + { |
| 50 | + #event_simpleName = TerminateProcess |
| 51 | + | ImageFileName = /(MsMpEng|CsAgent|CsFalconService|csshell|SentinelAgent|cbdefense|MBAMService|avp\.exe|fmon|avgnt|bdservicehost|mcshield|ekrn)\.exe$/i |
| 52 | + | rename(field=ImageFileName, as=TerminatedSecurity) |
| 53 | + }, |
| 54 | + field=aid, key=aid |
| 55 | + ) |
| 56 | + | TerminatedSecurity = * |
| 57 | +
|
| 58 | +# Explanation of the query. |
| 59 | +# Using the YAML block scalar `|` allows for multi-line strings. |
| 60 | +# Uses markdown for formatting on the webpage. |
| 61 | +explanation: | |
| 62 | + This technique has been actively observed in Medusa ransomware campaigns, |
| 63 | + where the group drops a signed but vulnerable kernel driver (commonly |
| 64 | + repurposed anti-cheat or AV drivers) to gain kernel-level access and |
| 65 | + forcibly terminate endpoint protection before deploying the ransomware |
| 66 | + payload. CISA issued advisory AA25-071A covering Medusa's BYOVD usage. |
| 67 | + |
| 68 | + The query is not Medusa-specific — it will detect any BYOVD campaign |
| 69 | + following the same pattern, including BlackByte, Scattered Spider, Cuba, |
| 70 | + and AvosLocker, all of which have used similar techniques. |
0 commit comments