Derusbi Driver version

Hunt Hypothesis

The Derusbi Driver version detection identifies potential adversary activity involving the Derusbi driver, which may indicate the presence of malware or persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromises and mitigate potential lateral movement or data exfiltration.

YARA Rule

rule derusbi_kernel
{

    meta:
        description = "Derusbi Driver version"
        date = "2015-12-09"
        author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"

    strings:
        $token1 = "$$$--Hello"
        $token2 = "Wrod--$$$"
        $cfg = "XXXXXXXXXXXXXXX"
        $class = ".?AVPCC_BASEMOD@@"
        $MZ = "MZ"

    condition:
        $MZ at 0 and $token1 and $token2 and $cfg and $class
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System update or patching process using Windows Update or Microsoft Endpoint Manager (MEM)
  Filter/Exclusion: Check for EventID 6008 (System shutdown) or EventID 6006 (Event log service started) in the same timeframe, or filter by ProcessName containing wuauclt.exe or setup.exe.

• Scenario: Scheduled job running Windows Defender Antivirus scan using Microsoft Defender
  Filter/Exclusion: Filter by ProcessName containing MsMpEng.exe or check for EventID 1001 (Antivirus scan started) in the same timeframe.

• Scenario: Group Policy Object (GPO) deployment that triggers a system reboot or configuration change
  Filter/Exclusion: Filter by EventID 6008 (System shutdown) or check for EventID 1000 (System event log cleared) in the same timeframe, or include ProcessName like gupdate.exe or gpupdate.exe.

• Scenario: Windows Task Scheduler running a legitimate maintenance task, such as Disk Defragmentation Service
  Filter/Exclusion: Filter by ProcessName containing defrag.exe or dfrgcfg.exe, or check for EventID 1000 (Task Scheduler event) in the same timeframe.

• Scenario: System File Checker (SFC) or DISM running to repair system files
  Filter/Exclusion: Filter by ProcessName containing sfc.exe or dism.exe, or check for EventID 6008 (System shutdown) or EventID 6006 (Event log service started) in the same timeframe.