T1068 - gdrv.sys Load Attempt - EDR Detection Queries
EDR detection queries for identifying BYOVD exploitation attempts using the vulnerable gdrv.sys Gigabyte driver.
Properties
| Property | Value |
|---|---|
| Platform | EDR |
| Query Language | LogScale / PowerQuery |
| MITRE TTP | T1068 |
| Detection Stage | Prevented |
| Status | Verified |
| Related TTPs | T1068 – BYOVD Exploitation |
| Related Playbook | T1068 – Vulnerable Driver Write Response Playbook |
Query (LogScale Example)
# Search for vulnerable or revoked driver loads (gdrv.sys)
event_simpleName=DriverLoad
| match(file_path, "gdrv.sys")
| select(eventTime, ComputerName, FileName, FileHash, SigningStatus, SignatureVendor, eventType)
| where SigningStatus in ("Revoked", "Unknown", "Unsigned")
Query (PowerQuery Example)
filter(
event.type == "Driver Load" and
(tgt.file.name == "gdrv.sys" or tgt.file.hash.sha256 == "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427")
)
| columns event.time, agent.uuid, src.process.name, src.process.cmdline, tgt.file.hash.sha256, tgt.file.signature.validity
| sort - event.time