Detects Derusbi Kernel Driver

Hunt Hypothesis

The Derusbi Kernel Driver is a sophisticated malware component used by advanced adversaries to maintain persistence and evade detection within the host system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and neutralize persistent, stealthy threats that could compromise critical infrastructure.

YARA Rule

rule Derusbi_Kernel_Driver_WD_UDFS
{

    meta:
        description = "Detects Derusbi Kernel Driver"
        author = "Florian Roth"
        reference = "http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family"
        date = "2015-12-15"
        score = 80
        hash1 = "1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016"
        hash2 = "50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a"
        hash3 = "6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58"
        hash4 = "e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59"

    strings:
        $x1 = "\\\\.\\pipe\\usbpcex%d" fullword wide
        $x2 = "\\\\.\\pipe\\usbpcg%d" fullword wide
        $x3 = "\\??\\pipe\\usbpcex%d" fullword wide
        $x4 = "\\??\\pipe\\usbpcg%d" fullword wide
        $x5 = "$$$--Hello" fullword ascii
        $x6 = "Wrod--$$$" fullword ascii
        $s1 = "\\Registry\\User\\%s\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword wide
        $s2 = "Update.dll" fullword ascii
        $s3 = "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\WMI" fullword wide
        $s4 = "\\Driver\\nsiproxy" fullword wide
        $s5 = "HOST: %s" fullword ascii

condition:
        uint16(0) == 0x5a4d and filesize < 800KB and (2 of ($x*) or all of ($s*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 11 string patterns in its detection logic.

References

• http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
• Source Rule

False Positive Guidance

• Scenario: System update or patching process using Windows Update or WSUS
  Filter/Exclusion: Check for ProcessName containing wuauclt.exe or wusa.exe
  Rationale: These processes are commonly used during system updates and may trigger the rule due to similar behavior to the malicious driver.

• Scenario: Legitimate kernel driver installation via Group Policy Preferences (GPP)
  Filter/Exclusion: Check for ProcessName containing gpupdate.exe or gpreference.exe
  Rationale: GPP can deploy drivers as part of policy, which may be flagged by the rule due to kernel driver activity.

• Scenario: Scheduled job using Task Scheduler to run a legitimate kernel-mode tool like WMI or Windows Performance Analyzer (WPA)
  Filter/Exclusion: Check for ProcessName containing taskschd.exe or wpa.exe
  Rationale: Scheduled tasks may execute kernel-mode tools that could be mistaken for malicious driver activity.

• Scenario: Admin task using PowerShell to manage kernel drivers, such as pnputil or sc.exe
  Filter/Exclusion: Check for ProcessName containing powershell.exe or pnputil.exe
  Rationale: PowerShell scripts or commands used by administrators to manage drivers may trigger the rule.

• Scenario: Use of Windows Sandbox or Containerization tools like Docker with kernel-level interactions
  Filter/Exclusion: Check for ProcessName containing sandbox.exe or dockerd.exe
  Rationale: These tools may interact with the kernel in ways that resemble malicious driver behavior.